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1.  Introduction 

This  standard  specifies  the  Rijndael  algorithm  ([3]  and  [4]),  a  symmetric  block  cipher  that  can 
process  data  blocks  of  128  bits,  using  cipher  keys  with  lengths  of  128,  192,  and  256  bits. 
Rijndael  was  designed  to  handle  additional  block  sizes  and  key  lengths,  however  they  are  not 
adopted  in  this  standard. 

Throughout  the  remainder  of  this  standard,  the  algorithm  specified  herein  will  be  referred  to  as 
“the  AES  algorithm.”  The  algorithm  may  be  used  with  the  three  different  key  lengths  indicated 
above,  and  therefore  these  different  “flavors”  may  be  referred  to  as  “AES-128”,  “AES-192”,  and 
“AES-256”. 

This  specification  includes  the  following  sections: 

2.  Definitions  of  terms,  acronyms,  and  algorithm  parameters,  symbols,  and  functions; 

3.  Notation  and  conventions  used  in  the  algorithm  specification,  including  the  ordering  and 
numbering  of  bits,  bytes,  and  words; 

4.  Mathematical  properties  that  are  useful  in  understanding  the  algorithm; 

5.  Algorithm  specification,  covering  the  key  expansion,  encryption,  and  decryption  routines; 

6.  Implementation  issues,  such  as  key  length  support,  keying  restrictions,  and  additional 
block/key/round  sizes. 

The  standard  concludes  with  several  appendices  that  include  step-by-step  examples  for  Key 
Expansion  and  the  Cipher,  example  vectors  for  the  Cipher  and  Inverse  Cipher,  and  a  list  of 
references. 


2.  Definitions 


2.1  Glossary  of  Terms  and  Acronyms 

The  following  definitions  are  used  throughout  this  standard: 

AES 

Advanced  Encryption  Standard 

Affine 

Transformation 

A  transformation  consisting  of  multiplication  by  a  matrix  followed  by 
the  addition  of  a  vector. 

Array 

An  enumerated  collection  of  identical  entities  (e.g.,  an  array  of  bytes). 

Bit 

A  binary  digit  having  a  value  of  0  or  1. 

Block 

Sequence  of  binary  bits  that  comprise  the  input,  output,  State,  and 
Round  Key.  The  length  of  a  sequence  is  the  number  of  bits  it  contains. 
Blocks  are  also  interpreted  as  arrays  of  bytes. 

Byte 

A  group  of  eight  bits  that  is  treated  either  as  a  single  entity  or  as  an 
array  of  8  individual  bits. 
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Cipher 


Series  of  transformations  that  converts  plaintext  to  ciphertext  using  the 
Cipher  Key. 

Cipher  Key  Secret,  cryptographic  key  that  is  used  by  the  Key  Expansion  routine  to 
generate  a  set  of  Round  Keys;  can  be  pictured  as  a  rectangular  array  of 
bytes,  having  four  rows  and  Nk  columns. 

Ciphertext  Data  output  from  the  Cipher  or  input  to  the  Inverse  Cipher. 

Inverse  Cipher  Series  of  transformations  that  converts  ciphertext  to  plaintext  using  the 
Cipher  Key. 

Key  Expansion  Routine  used  to  generate  a  series  of  Round  Keys  from  the  Cipher  Key. 

Plaintext  Data  input  to  the  Cipher  or  output  from  the  Inverse  Cipher. 

Rijndael  Cryptographic  algorithm  specified  in  this  Advanced  Encryption 

Standard  (AES). 

Round  Key  Round  keys  are  values  derived  from  the  Cipher  Key  using  the  Key 
Expansion  routine;  they  are  applied  to  the  State  in  the  Cipher  and 
Inverse  Cipher. 

State  Intermediate  Cipher  result  that  can  be  pictured  as  a  rectangular  array 

of  bytes,  having  four  rows  and  Nb  columns. 

S-box  Non-linear  substitution  table  used  in  several  byte  substitution 

transformations  and  in  the  Key  Expansion  routine  to  perform  a  one- 
for-one  substitution  of  a  byte  value. 

Word  A  group  of  32  bits  that  is  treated  either  as  a  single  entity  or  as  an  array 

of  4  bytes. 

2.2  Algorithm  Parameters,  Symbols,  and  Functions 

The  following  algorithm  parameters,  symbols,  and  functions  are  used  throughout  this  standard: 

AddRoundKey  ( )  Transformation  in  the  Cipher  and  Inverse  Cipher  in  which  a  Round 

Key  is  added  to  the  State  using  an  XOR  operation.  The  length  of  a 
Round  Key  equals  the  size  of  the  State  (i.e.,  for  Nb  =  4,  the  Round 
Key  length  equals  128  bits/16  bytes). 

InvMixColumns  ( )  Transformation  in  the  Inverse  Cipher  that  is  the  inverse  of 

MixColumns ( )  . 

InvShiftRows  ()  Transformation  in  the  Inverse  Cipher  that  is  the  inverse  of 

Shi ft Rows ( )  . 

InvSubBytes  ( )  Transformation  in  the  Inverse  Cipher  that  is  the  inverse  of 

SubBytes ( )  . 

K  Cipher  Key. 
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MixColumns ( ) 


Nb 

Nk 

Nr 

Rcon[] 

Rot Word ( ) 

ShiftRows ( ) 

SubBytes ( ) 

SubWord ( ) 

XOR 
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Transformation  in  the  Cipher  that  takes  all  of  the  columns  of  the 
State  and  mixes  their  data  (independently  of  one  another)  to 
produce  new  columns. 

Number  of  columns  (32-bit  words)  comprising  the  State.  For  this 
standard,  Nb  =  4.  (Also  see  Sec.  6.3.) 

Number  of  32-bit  words  comprising  the  Cipher  Key.  For  this 
standard,  Nk  =  4,  6,  or  8.  (Also  see  Sec.  6.3.) 

Number  of  rounds,  which  is  a  function  of  Nk  and  Nb  (which  is 
fixed).  For  this  standard,  Nr  =  10,  12,  or  14.  (Also  see  Sec.  6.3.) 

The  round  constant  word  array. 

Function  used  in  the  Key  Expansion  routine  that  takes  a  four-byte 
word  and  performs  a  cyclic  permutation. 

Transformation  in  the  Cipher  that  processes  the  State  by  cyclically 
shifting  the  last  three  rows  of  the  State  by  different  offsets. 

Transformation  in  the  Cipher  that  processes  the  State  using  a  non¬ 
linear  byte  substitution  table  (S-box)  that  operates  on  each  of  the 
State  bytes  independently. 

Function  used  in  the  Key  Expansion  routine  that  takes  a  four-byte 
input  word  and  applies  an  S-box  to  each  of  the  four  bytes  to 
produce  an  output  word. 

Exclusive-OR  operation. 

Exclusive-OR  operation. 

Multiplication  of  two  polynomials  (each  with  degree  <  4)  modulo 
x  +  1. 

Finite  field  multiplication. 


3.  Notation  and  Conventions 

3.1  inputs  and  Outputs 

The  input  and  output  for  the  AES  algorithm  each  consist  of  sequences  of  128  bits  (digits  with 
values  of  0  or  1).  These  sequences  will  sometimes  be  referred  to  as  blocks  and  the  number  of 
bits  they  contain  will  be  referred  to  as  their  length.  The  Cipher  Key  for  the  AES  algorithm  is  a 
sequence  of  128, 192  or  256  bits.  Other  input,  output  and  Cipher  Key  lengths  are  not  permitted 
by  this  standard. 

The  bits  within  such  sequences  will  be  numbered  starting  at  zero  and  ending  at  one  less  than  the 
sequence  length  (block  length  or  key  length).  The  number  i  attached  to  a  bit  is  known  as  its  index 
and  will  be  in  one  of  the  ranges  0<i<  128,  0  <  i  <  192  or  0  <  i  <  256  depending  on  the  block 
length  and  key  length  (specified  above). 
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3.2  Bytes 

The  basic  unit  for  processing  in  the  AES  algorithm  is  a  byte,  a  sequence  of  eight  bits  treated  as  a 
single  entity.  The  input,  output  and  Cipher  Key  bit  sequences  described  in  Sec.  3.1  are  processed 
as  arrays  of  bytes  that  are  formed  by  dividing  these  sequences  into  groups  of  eight  contiguous 
bits  to  form  arrays  of  bytes  (see  Sec.  3.3).  For  an  input,  output  or  Cipher  Key  denoted  by  a,  the 
bytes  in  the  resulting  array  will  be  referenced  using  one  of  the  two  forms,  an  or  a[n],  where  n  will 
be  in  one  of  the  following  ranges: 

Key  length  =  128  bits,  0  <  n  <  16;  Block  length  =  128  bits,  0  <  n  <  16; 

Key  length  =192  bits,  0  <  n  <  24; 

Key  length  =  256  bits,  0  <  n  <  32. 

All  byte  values  in  the  AES  algorithm  will  be  presented  as  the  concatenation  of  its  individual  bit 

values  (0  or  1)  between  braces  in  the  order  {Z?7,  be,  b$,  b$,  b%  bi,  b\,  bo}.  These  bytes  are 
interpreted  as  finite  field  elements  using  a  polynomial  representation: 

7 

v7  +  V6  +b5x5  +  b4xA  +  V3  +  V2  +b]x  +  b()  =  Yjbix'  ■  (3-1) 

/=0 

For  example,  {01100011}  identifies  the  specific  finite  field  element  xb  +  ,r5  +  x  + 1 . 

It  is  also  convenient  to  denote  byte  values  using  hexadecimal  notation  with  each  of  two  groups  of 
four  bits  being  denoted  by  a  single  character  as  in  Fig.  1 . 


Bit  Pattern 

Character 

0100 

4 

0101 

5 

0110 

6 

0111 

7 

Bit  Pattern 

Character 

1000 

8 

1001 

9 

1010 

a 

1011 

b 

Bit  Pattern 

Character 

1100 

c 

1101 

d 

1110 

e 

1111 

f 

Bit  Pattern 

Character 

0000 

0 

0001 

l 

0010 

2 

0011 

3 

Figure  1.  Hexadecimal  representation  of  bit  patterns. 

Hence  the  element  {01100011}  can  be  represented  as  {63},  where  the  character  denoting  the 
four-bit  group  containing  the  higher  numbered  bits  is  again  to  the  left. 

Some  finite  field  operations  involve  one  additional  bit  ( b g)  to  the  left  of  an  8-bit  byte.  Where  this 
extra  bit  is  present,  it  will  appear  as  ‘{01 }’  immediately  preceding  the  8-bit  byte;  for  example,  a 
9-bit  sequence  will  be  presented  as  {01 }  { lb } . 


3.3  Arrays  of  Bytes 

Arrays  of  bytes  will  be  represented  in  the  following  form: 


d  q  d  j  d  2  . .  »Cl  |  ^ 


The  bytes  and  the  bit  ordering  within  bytes  are  derived  from  the  128-bit  input  sequence 


as  follows: 


inputo  inputi  inputs  ...  inputs  input m 
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ao  =  {inputo,  inputi,  ...,  input 7}; 
a\  =  {inputs,  input 9,  inputs}; 


a  15  =  [input  120,  input  121,  input  127}. 

The  pattern  can  be  extended  to  longer  sequences  (i.e.,  for  192-  and  256-bit  keys),  so  that,  in 
general, 

an  =  { input ^n,  input&n+u  ...,  inputs}.  (3.2) 


Taking  Sections  3.2  and  3.3  together,  Fig.  2  shows  how  bits  within  each  byte  are  numbered. 


Input  bit  sequence 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

1 1 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 

Byte  number 

0 

1 

2 

Bit  numbers  in  byte 

7 

6 

5 

4 

3 

2 

1 

0 

7 

6 

5 

4 

3 

2 

1 

0 

7 

6 

5 

4 

3 

2 

1 

0 

Figure  2.  Indices  for  Bytes  and  Bits. 


3.4  The  State 

Internally,  the  AES  algorithm’s  operations  are  performed  on  a  two-dimensional  array  of  bytes 
called  the  State.  The  State  consists  of  four  rows  of  bytes,  each  containing  Nb  bytes,  where  Nb  is 
the  block  length  divided  by  32.  In  the  State  array  denoted  by  the  symbol  s,  each  individual  byte 
has  two  indices,  with  its  row  number  r  in  the  range  0  <  r  <  4  and  its  column  number  c  in  the 
range  0  <  c  <  Nb.  This  allows  an  individual  byte  of  the  State  to  be  referred  to  as  either  sr,c  or 
^[r,c].  For  this  standard,  Nb= 4,  i.e.,  0  <  c  <  4  (also  see  Sec.  6.3). 

At  the  start  of  the  Cipher  and  Inverse  Cipher  described  in  Sec.  5,  the  input  -  the  array  of  bytes 
m0,  in  1,  ...  in  15  -  is  copied  into  the  State  array  as  illustrated  in  Fig.  3.  The  Cipher  or  Inverse 
Cipher  operations  are  then  conducted  on  this  State  array,  after  which  its  final  value  is  copied  to 
the  output  -  the  array  of  bytes  outp,  outi,  . . .  out^. 


input  bytes 


in0 

in4 

in$ 

inn 

ini 

in5 

in<) 

inn 

in2 

in6 

into 

in  14 

in3 

in-, 

inn 

inn 

State  array 


^0,0 

^0,1 

s 0,2 

S0,3 

Sift 

Si,i 

^1,2 

‘S' 1,3 

^2,0 

$2,1 

S%2 

$2,3 

*^3,0 

$3,1 

S3, 2 

$3,3 

output  bytes 


out0 

out 4 

outs 

OUt  1 2 

out 1 

outs 

Olitg 

out  1 3 

out2 

out6 

OUtlQ 

OUt\ 4 

out. 

out 7 

OUtu 

Ollt  1 5 

Figure  3.  State  array  input  and  output. 


Hence,  at  the  beginning  of  the  Cipher  or  Inverse  Cipher,  the  input  array,  in,  is  copied  to  the  State 
array  according  to  the  scheme: 

s[r,  c]  =  in[r  +  4c]  for  0  <  r  <  4  and  0  <  c  <  Nb,  (3.3) 
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and  at  the  end  of  the  Cipher  and  Inverse  Cipher,  the  State  is  copied  to  the  output  array  out  as 
follows: 


out[r  +  Ac]  =  s[r,  c]  for0<r<4  and  0<c<Nb.  (3.4) 

3.5  The  State  as  an  Array  of  Columns 

The  four  bytes  in  each  column  of  the  State  array  form  32-bit  words,  where  the  row  number  r 
provides  an  index  for  the  four  bytes  within  each  word.  The  state  can  hence  be  interpreted  as  a 
one-dimensional  array  of  32  bit  words  (columns),  W0...W3,  where  the  column  number  c  provides 
an  index  into  this  array.  Hence,  for  the  example  in  Fig.  3,  the  State  can  be  considered  as  an  array 
of  four  words,  as  follows: 

Wo  =  50,0  5U)  52,0  53,0  w2  =  5o.2  5i>2  52,2  53,2 

Wi  =50,1  51,1  52,1  53,1  W3  =  50>3  5i>3  52,3  53,3  .  (3.5) 


4.  Mathematical  Preliminaries 

All  bytes  in  the  AES  algorithm  are  interpreted  as  finite  field  elements  using  the  notation 
introduced  in  Sec.  3.2.  Finite  field  elements  can  be  added  and  multiplied,  but  these  operations 
are  different  from  those  used  for  numbers.  The  following  subsections  introduce  the  basic 
mathematical  concepts  needed  for  Sec.  5. 

4.1  Addition 

The  addition  of  two  elements  in  a  finite  field  is  achieved  by  “adding”  the  coefficients  for  the 
corresponding  powers  in  the  polynomials  for  the  two  elements.  The  addition  is  performed  with 
the  XOR  operation  (denoted  by  © )  -  i.e.,  modulo  2  -  so  that  1©1  =  0,  1©0  =  1,  and  0 © 0  =  0 . 
Consequently,  subtraction  of  polynomials  is  identical  to  addition  of  polynomials. 

Alternatively,  addition  of  finite  field  elements  can  be  described  as  the  modulo  2  addition  of 
corresponding  bits  in  the  byte.  For  two  bytes  {a7a6a5a4aia2aia0}  and  {!hbGbsb4b;xb2bib„}.  the  sum  is 
{c7c6C5C4C3C2CiCo},  where  each  q  =  a7  ©  b ,•  (i.e.,  c7=  a7®  b7,  c6=  a6 ©  b6,  ...c0  =  a0©  b0). 

For  example,  the  following  expressions  are  equivalent  to  one  another: 

(. x 6  +  x4  +  x2  +  x  + 1)  +  (x1  +  x  + 1)  =  x1  +  x(l  +  x4  +  x2  (polynomial  notation); 

{01010111}  ©  {10000011}  =  {11010100}  (binary  notation); 

{57}  ©  {83}  =  {d4}  (hexadecimal  notation). 

4.2  Multiplication 

o 

In  the  polynomial  representation,  multiplication  in  GF(2  )  (denoted  by  •)  corresponds  with  the 
multiplication  of  polynomials  modulo  an  irreducible  polynomial  of  degree  8.  A  polynomial  is 
irreducible  if  its  only  divisors  are  one  and  itself.  For  the  AES  algorithm,  this  irreducible 
polynomial  is 

m(x)  =  x8  +  x4  +  x3  +  x  + 1 ,  (4.1) 
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or  {01 }  { lb}  in  hexadecimal  notation. 

For  example,  {57}  •  {83}  =  {cl},  because 

(x6  +  x4  +X2  +  X  +  1)  (x7  +  X  +  1)  =  x13  +  x11  +  x9  +X8  +X1  + 

x7  +x5  +x3  +  x 2  +  X  + 
x6  +x4  +  x 2  +X  +  1 

=  x13  +xu  +x9  +xx  +x6  +x5  +x4  +x3  +1 

and 


13,  11,  9,  8,  6,  5,  4,  3,i  ,  /  8  ,  4,  3,  ,i\ 

x  +  x  +  x  +  x  +  x  +  x  +  x  +  x  +1  modulo  (x  +x  +x  +x  +  l) 

=  x7  +  x6  +1  . 

The  modular  reduction  by  mix)  ensures  that  the  result  will  be  a  binary  polynomial  of  degree  less 
than  8,  and  thus  can  be  represented  by  a  byte.  Unlike  addition,  there  is  no  simple  operation  at  the 
byte  level  that  corresponds  to  this  multiplication. 

The  multiplication  defined  above  is  associative,  and  the  element  {01}  is  the  multiplicative 
identity.  For  any  non-zero  binary  polynomial  b(x)  of  degree  less  than  8,  the  multiplicative 
inverse  of  b(x),  denoted  b  '(x),  can  be  found  as  follows:  the  extended  Euclidean  algorithm  [7]  is 
used  to  compute  polynomials  a(x)  and  c(x)  such  that 

b(x)a(x)  +  m(x)c(x)  =  1 .  (4.2) 

Hence,  a(x)  •  b(x)  mod  m(x)  =  1 ,  which  means 

b~l  (x)  =  a(x)  mod  m(x) .  (4.3) 

Moreover,  for  any  a(x),  b(x)  and  c(x)  in  the  field,  it  holds  that 

a(x)  •  (Z?(x)  +  c(x))  =  a(x )  •  b(x)  +  a(x)  •  c(x) . 

It  follows  that  the  set  of  256  possible  byte  values,  with  XOR  used  as  addition  and  the 

o 

multiplication  defined  as  above,  has  the  structure  of  the  finite  field  GF(2  ). 


4.2.1  Multiplication  by  x 

Multiplying  the  binary  polynomial  defined  in  equation  (3.1)  with  the  polynomial  x  results  in 

b1x4  +b6x 7  +b5x6  +b4x5  +  b3x4  -t \-b2x3  +blx2  +bQx.  (4.4) 

The  result  x*£>(x)is  obtained  by  reducing  the  above  result  modulo  m(x),  as  defined  in  equation 
(4.1).  If  £7  =  0,  the  result  is  already  in  reduced  form.  If  bj  =  1,  the  reduction  is  accomplished  by 
subtracting  (i.e.,  XORing)  the  polynomial  mix).  It  follows  that  multiplication  by  x  (i.e., 
{00000010}  or  {02})  can  be  implemented  at  the  byte  level  as  a  left  shift  and  a  subsequent 
conditional  bitwise  XOR  with  {lb}.  This  operation  on  bytes  is  denoted  by  xtime(). 
Multiplication  by  higher  powers  of  x  can  be  implemented  by  repeated  application  of  xtime  ( )  . 
By  adding  intermediate  results,  multiplication  by  any  constant  can  be  implemented. 

For  example,  {57}  •  {13}  =  {fe}  because 
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thus, 


{57} •  {02} 

=  xtime({57  })  =  {ae} 

{57} • {04} 

■  xtime({ae})  =  {47} 

{57} •  {08} 

-  xt ime({ 4  7 })  =  { 8e} 

{57} • {10} 

=  xtime({  8e})  =  { 07 }, 

{57}  •  {13} 

=  {57}  •  ({01}  ©  {02}  0  {10}) 

=  {57} 0 {ae} 0 {07} 

=  {fe}. 

4.3  Polynomials  with  Coefficients  in  GF(28) 

Four-term  polynomials  can  be  defined  -  with  coefficients  that  are  finite  field  elements  -  as: 

a(x)  =  a3x}  +  a2x2  +  axx  +  a0  (4.5) 

which  will  be  denoted  as  a  word  in  the  form  [aQ ,  a\ ,  ai ,  ].  Note  that  the  polynomials  in  this 

section  behave  somewhat  differently  than  the  polynomials  used  in  the  definition  of  finite  field 
elements,  even  though  both  types  of  polynomials  use  the  same  indeterminate,  x.  The  coefficients 
in  this  section  are  themselves  finite  field  elements,  i.e.,  bytes,  instead  of  bits;  also,  the 
multiplication  of  four-term  polynomials  uses  a  different  reduction  polynomial,  defined  below. 
The  distinction  should  always  be  clear  from  the  context. 

To  illustrate  the  addition  and  multiplication  operations,  let 

b(x)  =  b3x2  +  b2x 2  +  bxx  +  b0  (4.6) 

define  a  second  four-term  polynomial.  Addition  is  performed  by  adding  the  finite  field 
coefficients  of  like  powers  of  x.  This  addition  corresponds  to  an  XOR  operation  between  the 
corresponding  bytes  in  each  of  the  words  -  in  other  words,  the  XOR  of  the  complete  word 
values. 

Thus,  using  the  equations  of  (4.5)  and  (4.6), 

a(x)  +  b(x)  =  ( a3  ®b3)x 3  +(a2  ®b2)x2  +(ax  ®bx)x  +  (a0  ®bQ )  (4.7) 

Multiplication  is  achieved  in  two  steps.  In  the  first  step,  the  polynomial  product  c(x)  =  a(x)  • 
b(x)  is  algebraically  expanded,  and  like  powers  are  collected  to  give 

c{x)  =  c6x6  +  c5v5  +  c4x4  +  c3x 3  +  c2x 2  +  qx  +  c0  (4.8) 

where 


c0  =  a0  •  b0  c4  =  a3*  bx®  a2  •  b2  ®  ax  •  b3 

cx  =  ax  •  bQ®  a0  *bx  c5=a3*b2®a2 •  b3 

c2  =  a2*  bQ®  a,  •  bx  ©  a0  •  b2  c6=a3*b3  (4.9) 
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c3  =  a3  •  b0  ©  a2  •  bx  ©  ax  •  b2  ©  a0  •  b3 . 

The  result,  c(x),  does  not  represent  a  four-byte  word.  Therefore,  the  second  step  of  the 
multiplication  is  to  reduce  c(x)  modulo  a  polynomial  of  degree  4;  the  result  can  be  reduced  to  a 
polynomial  of  degree  less  than  4.  For  the  AES  algorithm,  this  is  accomplished  with  the 
polynomial  jc4  +  1,  so  that 

jc'  mod(x4+l)  =  ximod4.  (4.10) 


The  modular  product  of  a(x)  and  b(x),  denoted  by  a(x)  ®  b(x),  is  given  by  the  four- term 
polynomial  d(x),  defined  as  follows: 

d(x)  =  d3x3  +  d2x2  +  dxx  +dQ  (4.11) 

with 

d0  =  ( a0  •  b0 )  ©  (a 3  •  bx )  ©  (a2  •  b2 )  ©  (a,  *b3) 
di  =  (a,  •  b() )  ©  (a0  •bl)®(a3  •b1)@  ( a2  •  b3)  (4.12) 

d2  =  (a2  •  b() )  ©  (a,  •/?,)©  (a0  •  b2 )  ©  (a3  *b3) 
d3  =  (a3  •  b0  )  ©  (a2  •  bx )  ©  (at  •  b2 )  ©  (a0  •  b3 ) 

When  a(x)  is  a  fixed  polynomial,  the  operation  defined  in  equation  (4.11)  can  be  written  in 
matrix  form  as: 


d0 

Cl^  ^2 

bo 

d  1 

a0  3  ^  2 

bx 

d2 

^2  a0  ^^3 

b2 

d3 

^2  ^2  ^  j  a0 

A. 

(4.13) 


Because  x4  + 1  is  not  an  irreducible  polynomial  over  GF(28),  multiplication  by  a  fixed  four-term 
polynomial  is  not  necessarily  invertible.  However,  the  AES  algorithm  specifies  a  fixed  four- term 
polynomial  that  does  have  an  inverse  (see  Sec.  5.1.3  and  Sec.  5.3.3): 

a(x)  =  { 03  }x3  +  {01}x2+  { 0 1  }jc  +  {02}  (4.14) 

al(x)  =  { 0b}.v3  +  { 0d}.r2  +  { 0  9  }x  +  { Oe}.  (4.15) 

Another  polynomial  used  in  the  AES  algorithm  (see  the  Rot  Word  ( )  function  in  Sec.  5.2)  has  ciq 
=  a\  =  a2  =  {00}  and  a^=  {01},  which  is  the  polynomial  v3.  Inspection  of  equation  (4.13)  above 
will  show  that  its  effect  is  to  form  the  output  word  by  rotating  bytes  in  the  input  word.  This 
means  that  [bo,  b\,  bi,  b?\  is  transformed  into  [b i,  ^2,  ^3,  bo]. 


5.  Algorithm  Specification 

For  the  AES  algorithm,  the  length  of  the  input  block,  the  output  block  and  the  State  is  128 
bits.  This  is  represented  by  Nb  =  4,  which  reflects  the  number  of  32-bit  words  (number  of 
columns)  in  the  State. 
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For  the  AES  algorithm,  the  length  of  the  Cipher  Key,  K,  is  128,  192,  or  256  bits.  The  key 

length  is  represented  by  Nk  =  4,  6,  or  8,  which  reflects  the  number  of  32-bit  words  (number  of 
columns)  in  the  Cipher  Key. 

For  the  AES  algorithm,  the  number  of  rounds  to  be  performed  during  the  execution  of  the 
algorithm  is  dependent  on  the  key  size.  The  number  of  rounds  is  represented  by  Nr,  where  Nr  = 
10  when  Nk  =  4,  Nr  =  12  when  Nk  =  6,  and  Nr  =  14  when  Nk  =  8. 

The  only  Key-Block-Round  combinations  that  conform  to  this  standard  are  given  in  Fig.  4. 

For  implementation  issues  relating  to  the  key  length,  block  size  and  number  of  rounds,  see  Sec. 
6.3. 


Key  Length 

(Nk  words ) 

Block  Size 

(Nb  words ) 

Number  of 
Rounds 

(Nr) 

AES-128 

4 

4 

10 

AES-192 

6 

4 

12 

AES-256 

8 

4 

14 

Figure  4.  Key-Block-Round  Combinations. 


For  both  its  Cipher  and  Inverse  Cipher,  the  AES  algorithm  uses  a  round  function  that  is 
composed  of  four  different  byte-oriented  transformations:  1)  byte  substitution  using  a 
substitution  table  (S-box),  2)  shifting  rows  of  the  State  array  by  different  offsets,  3)  mixing  the 
data  within  each  column  of  the  State  array,  and  4)  adding  a  Round  Key  to  the  State.  These 
transformations  (and  their  inverses)  are  described  in  Sec.  5. 1.1-5. 1.4  and  5.3. 1-5. 3. 4. 

The  Cipher  and  Inverse  Cipher  are  described  in  Sec.  5.1  and  Sec.  5.3,  respectively,  while  the  Key 
Schedule  is  described  in  Sec.  5.2. 

5.1  Cipher 

At  the  start  of  the  Cipher,  the  input  is  copied  to  the  State  array  using  the  conventions  described  in 
Sec.  3.4.  After  an  initial  Round  Key  addition,  the  State  array  is  transformed  by  implementing  a 
round  function  10,  12,  or  14  times  (depending  on  the  key  length),  with  the  final  round  differing 
slightly  from  the  first  Nr  -l  rounds.  The  final  State  is  then  copied  to  the  output  as  described  in 
Sec.  3.4. 

The  round  function  is  parameterized  using  a  key  schedule  that  consists  of  a  one-dimensional 
array  of  four-byte  words  derived  using  the  Key  Expansion  routine  described  in  Sec.  5.2. 

The  Cipher  is  described  in  the  pseudo  code  in  Fig.  5.  The  individual  transformations  - 
SubBytes  ( ) ,  Shif tRows  ( ) ,  MixColumns  ( ) ,  and  AddRoundKey  ( )  -  process  the  State 
and  are  described  in  the  following  subsections.  In  Fig.  5,  the  array  w  [  ]  contains  the  key 
schedule,  which  is  described  in  Sec.  5.2. 

As  shown  in  Fig.  5,  all  Nr  rounds  are  identical  with  the  exception  of  the  final  round,  which  does 
not  include  the  MixColumns  ( )  transformation. 
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Appendix  B  presents  an  example  of  the  Cipher,  showing  values  for  the  State  array  at  the 
beginning  of  each  round  and  after  the  application  of  each  of  the  four  transformations  described  in 
the  following  sections. 


Cipher (byte  in[4*Nb],  byte  out[4*Nb],  word  w[Nb* (Nr+1) ] ) 
begin 

byte  state [4, Nb] 
state  =  in 


AddRoundKey (state,  w[0,  Nb-1] ) 

// 

See 

Sec . 

5.1.4 

for  round  =  1  step  1  to  Nr-1 

SubBytes (state) 

// 

See 

Sec . 

5.1.1 

ShiftRows (state) 

// 

See 

Sec . 

5.1.2 

MixColumns (state) 

// 

See 

Sec . 

5.1.3 

AddRoundKey (state,  w[round*Nb,  (round+1) *Nb-l] ) 
end  for 

SubBytes (state) 

ShiftRows (state) 

AddRoundKey (state,  w[Nr*Nb,  (Nr+1) *Nb-l] ) 
out  =  state 

end 


Figure  5.  Pseudo  Code  for  the  Cipher.1 


5.1 .1  SubBytes  ( )  Transformation 

The  SubBytes  ()  transformation  is  a  non-linear  byte  substitution  that  operates  independently 
on  each  byte  of  the  State  using  a  substitution  table  (S-box).  This  S-box  (Fig.  7),  which  is 
invertible,  is  constructed  by  composing  two  transformations: 

o 

1.  Take  the  multiplicative  inverse  in  the  finite  field  GF(2  ),  described  in  Sec.  4.2;  the 
element  {00}  is  mapped  to  itself. 

2.  Apply  the  following  affine  transformation  (over  GF(2) ): 


b:  =  b  ,  ©  b, 


(i+ 4)  mod  8 


®b 


(/+5)mod8 


®b. 


(i+6)  mod  8 


®b, 


©  C, 


(5.1) 


for  0  <  i  <  8 ,  where  b,  is  the  zth  bit  of  the  byte,  and  a  is  the  ith  bit  of  a  byte  c  with  the 
value  {63}  or  {01100011}.  Here  and  elsewhere,  a  prime  on  a  variable  (e.g.,  b ') 
indicates  that  the  variable  is  to  be  updated  with  the  value  on  the  right. 


In  matrix  form,  the  affine  transformation  element  of  the  S-box  can  be  expressed  as: 


1  The  various  transformations  (e.g.,  SubBytes  ( ) ,  ShiftRows  ( ) ,  etc.)  act  upon  the  State  array  that  is  addressed 
by  the  ‘state’  pointer.  AddRoundKey  ( )  uses  an  additional  pointer  to  address  the  Round  Key. 
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~b0]  [1  o  0  0  1  1  1  l]T]  IT 

b[  11000111  Z?!  1 

b2  iiioooii*»2  0 
b,  11110001  ^3  0 

3  =  3  +  .  (5.2) 

b4  1  1  1  1  1  0  0  0  b4  0 

b5  0  111110  0  b5  1 

b6  0  0  1  1  1  1  1  0  b6  1 

b~j  J  |^0  0  0  1  1  1  1  lj[z77  J  [o_ 

Figure  6  illustrates  the  effect  of  the  SubBytes  ( )  transformation  on  the  State. 


Figure  6.  SubBytes  ()  applies  the  S-box  to  each  byte  of  the  State. 

The  S-box  used  in  the  SubBytes  ( )  transformation  is  presented  in  hexadecimal  form  in  Fig.  7. 
For  example,  if  sn  ={53},  then  the  substitution  value  would  be  determined  by  the  intersection 
of  the  row  with  index  ‘5’  and  the  column  with  index  ‘3’  in  Fig.  7.  This  would  result  in  y  ,  having 
a  value  of  {ed}. 


Figure  7.  S-box:  substitution  values  for  the  byte  xy  (in  hexadecimal  format). 
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5.1.2  ShiftRows  ()  Transformation 

In  the  ShiftRows  ()  transformation,  the  bytes  in  the  last  three  rows  of  the  State  are  cyclically 
shifted  over  different  numbers  of  bytes  (offsets).  The  first  row,  r  =  0,  is  not  shifted. 

Specifically,  the  ShiftRows  ()  transformation  proceeds  as  follows: 

s'r,c=srXc+Shmr,Nb))modm  for  0  <  r  <  4  and  0  <c<Nb,  (5.3) 

where  the  shift  value  shifl(r.Nb)  depends  on  the  row  number,  r,  as  follows  (recall  that  Nb  =  4): 

shift(\,A)  =  1 ;  shift (2 A)  =  2 ;  shiftfSA)  =  3  .  (5.4) 

This  has  the  effect  of  moving  bytes  to  “lower”  positions  in  the  row  (i.e.,  lower  values  of  c  in  a 
given  row),  while  the  “lowest”  bytes  wrap  around  into  the  “top”  of  the  row  (i.e.,  higher  values  of 
c  in  a  given  row). 

Figure  8  illustrates  the  ShiftRows  ()  transformation. 
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Figure  8.  ShiftRows  ( )  cyclically  shifts  the  last  three  rows  in  the  State. 


5.1.3  MixColumns  ()  Transformation 

The  MixColumns  ( )  transformation  operates  on  the  State  column-by-column,  treating  each 
column  as  a  four-term  polynomial  as  described  in  Sec.  4.3.  The  columns  are  considered  as 
polynomials  over  GF(2  )  and  multiplied  modulo  x  +  1  with  a  fixed  polynomial  a(x),  given  by 

a(x)  =  {03}.v3  +  {01}v2  +  {01}v  +  {02}  .  (5.5) 

As  described  in  Sec.  4.3,  this  can  be  written  as  a  matrix  multiplication.  Let 

s'{x)  =  a(x)  ®  s(x) : 
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for  0  <  c  <  Nb. 


(5.6) 


’1,C 


3,c 


02  03  01  01 
01  02  03  01 
01  01  02  03 
03  01  01  02 


1 

o 

o 

>5 

1 _ 

■h.C 

52,c 

1 

o 

cn 

_ 1 

As  a  result  of  this  multiplication,  the  four  bytes  in  a  column  are  replaced  by  the  following: 
4c  =  ({02}  •  %c)©({03}  •  slc)@  s2c ©  53i(. 

Kc  =  \c®«02}  •  slx)  ©  ({03}  •  s2c )  ©  53iC 
4c  =  V©  si,c  ©  ({ 02 }  •  s2c)  ©  ({03}  •  s3c) 

4c  =  ({03}  •  Sqc  )  ©  sle©  s2c  ©  ({02}  •  s3c). 


Figure  9  illustrates  the  MixColumns  ( )  transformation. 


Figure  9.  MixColumns  ()  operates  on  the  State  column-by-column. 


5.1.4  AddRoundKey  ( )  Transformation 

In  the  AddRoundKey  ( )  transformation,  a  Round  Key  is  added  to  the  State  by  a  simple  bitwise 
XOR  operation.  Each  Round  Key  consists  of  Nb  words  from  the  key  schedule  (described  in  Sec. 
5.2).  Those  Nb  words  are  each  added  into  the  columns  of  the  State,  such  that 


[s 


0  ,c 


l.c 


2,c 


3,c 


]  =  [S 


0,c  ’  Jl,c’  J2,c’  J3,c 


]  ©  [w 


round  *Nb+c 


|  for  0  <  c  <  Nb, 


(5.7) 


where  [vv’,J  are  the  key  schedule  words  described  in  Sec.  5.2,  and  round  is  a  value  in  the  range 
0<  round  <Nr.  In  the  Cipher,  the  initial  Round  Key  addition  occurs  when  round  =  0,  prior  to 
the  first  application  of  the  round  function  (see  Fig.  5).  The  application  of  the  AddRoundKey  ( ) 
transformation  to  the  Nr  rounds  of  the  Cipher  occurs  when  1  <  round  <Nr. 

The  action  of  this  transformation  is  illustrated  in  Fig.  10,  where  l  =  round  *  Nb.  The  byte 
address  within  words  of  the  key  schedule  was  described  in  Sec.  3.1. 
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/  =  round  *  Nb 


Figure  10.  AddRoundKey  ( )  XORs  each  column  of  the  State  with  a  word 

from  the  key  schedule. 


5.2  Key  Expansion 

The  AES  algorithm  takes  the  Cipher  Key,  K,  and  performs  a  Key  Expansion  routine  to  generate  a 
key  schedule.  The  Key  Expansion  generates  a  total  of  Nb  (Nr  +  1)  words:  the  algorithm  requires 
an  initial  set  of  Nb  words,  and  each  of  the  Nr  rounds  requires  Nb  words  of  key  data.  The 
resulting  key  schedule  consists  of  a  linear  array  of  4-byte  words,  denoted  [w,  J ,  with  i  in  the  range 
0  <i<  Nb(Nr  +  1). 

The  expansion  of  the  input  key  into  the  key  schedule  proceeds  according  to  the  pseudo  code  in 
Fig.  11. 

SubWord  ()  is  a  function  that  takes  a  four-byte  input  word  and  applies  the  S-box  (Sec.  5.1.1, 
Fig.  7)  to  each  of  the  four  bytes  to  produce  an  output  word.  The  function  RotWord  ( )  takes  a 
word  [a0,a\,a2,a3]  as  input,  performs  a  cyclic  permutation,  and  returns  the  word  [a The 
round  constant  word  array,  Rcon  [i] ,  contains  the  values  given  by  [x',{ 00 },{ 00 },{ 00 }],  with 
xlA  being  powers  of  .v  (x  is  denoted  as  {02})  in  the  field  GF(28),  as  discussed  in  Sec.  4.2  (note 
that  i  starts  at  1,  not  0). 

From  Fig.  11,  it  can  be  seen  that  the  first  Nk  words  of  the  expanded  key  are  filled  with  the 
Cipher  Key.  Every  following  word,  w[i],  is  equal  to  the  XOR  of  the  previous  word,  w[i-l],  and 
the  word  Nk  positions  earlier,  w[i-iVfc].  For  words  in  positions  that  are  a  multiple  of  Nk,  a 
transformation  is  applied  to  w[i-l]  prior  to  the  XOR,  followed  by  an  XOR  with  a  round 
constant,  Rcon[i].  This  transformation  consists  of  a  cyclic  shift  of  the  bytes  in  a  word 
(RotWord  ( ) ),  followed  by  the  application  of  a  table  lookup  to  all  four  bytes  of  the  word 
(SubWord  ( ) ). 

It  is  important  to  note  that  the  Key  Expansion  routine  for  256-bit  Cipher  Keys  (Nk  =  8)  is 
slightly  different  than  for  128-  and  192-bit  Cipher  Keys.  If  Nk  =  8  and  i-4  is  a  multiple  of  Nk, 
then  SubWord  ( )  is  applied  to  w[i-l]  prior  to  the  XOR . 
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KeyExpansion (byte  key[4*Nk],  word  w[Nb* (Nr+1) ] ,  Nk) 
begin 

word  temp 
i  =  0 

while  (i  <  Nk) 

w[i]  =  word (key [4*i] ,  key[4*i+l],  key[4*i+2],  key[4*i+3]) 
i  =  i+1 
end  while 

i  =  Nk 

while  (i  <  Nb  *  (Nr+1) ] 

temp  =  w[i-l] 
if  (i  mod  Nk  =  0) 

temp  =  SubWord (RotWord (temp) )  xor  Rcon[i/Nk] 
else  if  (Nk  >  6  and  i  mod  Nk  =  4) 
temp  =  SubWord (temp) 
end  if 

w[i]  =  w[i-Nk]  xor  temp 
i  =  i  +  1 
end  while 

end 

Note  that  Nk=  4,  6,  and  8  do  not  all  have  to  be  implemented; 
they  are  all  included  in  the  conditional  statement  above  for 
conciseness.  Specific  implementation  requirements  for  the 
Cipher  Key  are  presented  in  Sec.  6.1. 


Figure  1 1 .  Pseudo  Code  for  Key  Expansion.2 

Appendix  A  presents  examples  of  the  Key  Expansion. 

5.3  Inverse  Cipher 

The  Cipher  transformations  in  Sec.  5.1  can  be  inverted  and  then  implemented  in  reverse  order  to 
produce  a  straightforward  Inverse  Cipher  for  the  AES  algorithm.  The  individual  transformations 
used  in  the  Inverse  Cipher  -  InvShiftRows  ( ) ,  InvSubBytes  ( )  .InvMixColumns  ( ) , 
and  AddRoundKey  ( )  -  process  the  State  and  are  described  in  the  following  subsections. 

The  Inverse  Cipher  is  described  in  the  pseudo  code  in  Fig.  12.  In  Fig.  12,  the  array  w  [  ]  contains 
the  key  schedule,  which  was  described  previously  in  Sec.  5.2. 


2  The  functions  SubWord  ( )  and  RotWord  ( )  return  a  result  that  is  a  transformation  of  the  function  input,  whereas 
the  transformations  in  the  Cipher  and  Inverse  Cipher  (e.g.,  ShiftRows  () ,  SubBytes  () ,  etc.)  transform  the 
State  array  that  is  addressed  by  the  ‘state’  pointer. 
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InvCipher (byte  in[4*Nb],  byte  out[4*Nb],  word  w [Nb* (Nr+1) ] ) 
begin 

byte  state [4, Nb] 
state  =  in 

AddRoundKey (state,  w[Nr*Nb,  (Nr+1) *Nb-l] )  //  See  Sec.  5.1.4 

for  round  =  Nr-1  step  -1  downto  1 

InvShiftRows (state)  //  See  Sec.  5.3.1 

InvSubBytes (state)  //  See  Sec.  5.3.2 

AddRoundKey (state,  w[round*Nb,  (round+1) *Nb-l] ) 
InvMixColumns (state)  //  See  Sec.  5.3.3 

end  for 

InvShiftRows (state) 

InvSubBytes (state) 

AddRoundKey (state,  w[0,  Nb-1] ) 

out  =  state 

end 

Figure  12.  Pseudo  Code  for  the  Inverse  Cipher.3 


5.3.1  InvShiftRows  ()  Transformation 

InvShiftRows  ()  is  the  inverse  of  the  ShiftRows  ()  transformation.  The  bytes  in  the  last 
three  rows  of  the  State  are  cyclically  shifted  over  different  numbers  of  bytes  (offsets).  The  first 
row,  r  =  0,  is  not  shifted.  The  bottom  three  rows  are  cyclically  shifted  by  Nb  -  shift(r,Nb) 
bytes,  where  the  shift  value  shift(r,Nb)  depends  on  the  row  number,  and  is  given  in  equation  (5.4) 
(see  Sec.  5.1.2). 

Specifically,  the  InvShiftRows  ()  transformation  proceeds  as  follows: 

s'rXc+*mr,m) mo<im=sr,c  for  0  <  t  <  4  and  0  <c<Nb  (5.8) 

Figure  13  illustrates  the  InvShiftRows  ()  transformation. 


3  The  various  transformations  (e.g.,  InvSubBytes  ( ) ,  InvShiftRows  ( ) ,  etc.)  act  upon  the  State  array  that  is 
addressed  by  the  ‘state’  pointer.  AddRoundKey  ()  uses  an  additional  pointer  to  address  the  Round  Key. 
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InvShiftRows () 
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Figure  13.  InvShiftRows  ()  cyclically  shifts  the  last  three  rows  in  the  State. 


5.3.2  invSubBytes  ()  Transformation 

InvSubBytes  ()  is  the  inverse  of  the  byte  substitution  transformation,  in  which  the  inverse  S- 
box  is  applied  to  each  byte  of  the  State.  This  is  obtained  by  applying  the  inverse  of  the  affine 

o 

transformation  (5.1)  followed  by  taking  the  multiplicative  inverse  in  GF(2  ). 

The  inverse  S-box  used  in  the  InvSubBytes  ( )  transformation  is  presented  in  Fig.  14: 
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Figure  14.  Inverse  S-box:  substitution  values  for  the  byte  xy  (in 

hexadecimal  format). 
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5.3.3  invMixColumns  ( )  Transformation 

InvMixColumns  ( )  is  the  inverse  of  the  MixColumns  ( )  transformation. 
InvMixColumns  ( )  operates  on  the  State  column-by-column,  treating  each  column  as  a  four- 
term  polynomial  as  described  in  Sec.  4.3.  The  columns  are  considered  as  polynomials  over 
GF(28)  and  multiplied  modulo  x  +  1  with  a  fixed  polynomial  a\x),  given  by 

al(x )  =  { Ob}x3  +  { Od}jr  +  { 0  9  }x  +  { Oe}.  (5.9) 

As  described  in  Sec.  4.3,  this  can  be  written  as  a  matrix  multiplication.  Let 

/(x)  =  a~l(x)  ®s(x) : 
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(5.10) 


As  a  result  of  this  multiplication,  the  four  bytes  in  a  column  are  replaced  by  the  following: 
s'o,c  =  ({Oe}  •  s0c)  ©  ({Ob}  •  su)  ©  ({Od}  •  s2c)  ©  ({09}  •  s3c) 

s'u  =  ({0  9}  •  s0c )  ©  ({Oe}  •  j1iC)  ©  ({Ob}  •  s2c)  ©  ({Od}  •  s3c) 

s'2c  =  ({Od}  •  s0c)  ©  ({09}  •  5U)  ©  ({Oe}  •  s2c)  ©  ({Ob}  •  s3c) 

s'Xc  =  ({Ob}  •  s0c)  ©  ({Od}  •  slc)®  ({09}  •  s2c)  ©  ({0e}  •  s3c) 


5.3.4  Inverse  of  the  AddRoundKey  ( )  Transformation 

AddRoundKey  () ,  which  was  described  in  Sec.  5.1.4,  is  its  own  inverse,  since  it  only  involves 
an  application  of  the  XOR  operation. 

5.3.5  Equivalent  Inverse  Cipher 

In  the  straightforward  Inverse  Cipher  presented  in  Sec.  5.3  and  Fig.  12,  the  sequence  of  the 
transformations  differs  from  that  of  the  Cipher,  while  the  form  of  the  key  schedules  for 
encryption  and  decryption  remains  the  same.  However,  several  properties  of  the  AES  algorithm 
allow  for  an  Equivalent  Inverse  Cipher  that  has  the  same  sequence  of  transformations  as  the 
Cipher  (with  the  transformations  replaced  by  their  inverses).  This  is  accomplished  with  a  change 
in  the  key  schedule. 

The  two  properties  that  allow  for  this  Equivalent  Inverse  Cipher  are  as  follows: 


1.  The  SubBytes()  and  ShiftRows()  transformations  commute;  that  is,  a 
SubBytes()  transformation  immediately  followed  by  a  ShiftRows() 
transformation  is  equivalent  to  a  ShiftRows()  transformation  immediately 
followed  buy  a  SubBytes  ()  transformation.  The  same  is  true  for  their  inverses, 

InvSubBytes ()  and InvShiftRows . 
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2.  The  column  mixing  operations  -  MixColumns  ( )  and  InvMixColumns  ( )  -  are 
linear  with  respect  to  the  column  input,  which  means 

InvMixColumns (state  XOR  Round  Key)  = 

InvMixColumns (state)  XOR  InvMixColumns (Round  Key). 


These  properties  allow  the  order  of  InvSubBytes  ( )  and  InvShiftRows  ( ) 
transformations  to  be  reversed.  The  order  of  the  AddRoundKey  ( )  and  InvMixColumns  ( ) 
transformations  can  also  be  reversed,  provided  that  the  columns  (words)  of  the  decryption  key 
schedule  are  modified  using  the  InvMixColumns  ( )  transformation. 

The  equivalent  inverse  cipher  is  defined  by  reversing  the  order  of  the  InvSubBytes  ()  and 
InvShiftRows  ( )  transformations  shown  in  Fig.  12,  and  by  reversing  the  order  of  the 
AddRoundKey  ( )  and  InvMixColumns  ( )  transformations  used  in  the  “round  loop”  after 
first  modifying  the  decryption  key  schedule  for  round  =  1  to  Nr- 1  using  the 

InvMixColumns  ( )  transformation.  The  first  and  last  Nb  words  of  the  decryption  key 
schedule  shall  not  be  modified  in  this  manner. 

Given  these  changes,  the  resulting  Equivalent  Inverse  Cipher  offers  a  more  efficient  structure 
than  the  Inverse  Cipher  described  in  Sec.  5.3  and  Fig.  12.  Pseudo  code  for  the  Equivalent 
Inverse  Cipher  appears  in  Fig.  15.  (The  word  array  dw[]  contains  the  modified  decryption  key 
schedule.  The  modification  to  the  Key  Expansion  routine  is  also  provided  in  Fig.  15.) 
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EqlnvCipher (byte  in[4*Nb],  byte  out[4*Nb],  word  dw[Nb* (Nr+1) ] ) 
begin 

byte  state [4, Nb] 
state  =  in 

AddRoundKey (state,  dw[Nr*Nb,  (Nr+1) *Nb-l] ) 

for  round  =  Nr-1  step  -1  downto  1 
InvSubBytes (state) 

InvShiftRows (state) 

InvMixColumns (state) 

AddRoundKey (state,  dw[round*Nb,  (round+1) *Nb-l] ) 
end  for 

InvSubBytes (state) 

InvShiftRows (state) 

AddRoundKey (state,  dw[0,  Nb-1] ) 

out  =  state 

end 


For  the  Equivalent  Inverse  Cipher,  the  following  pseudo  code  is  added  at 
the  end  of  the  Key  Expansion  routine  (Sec.  5.2) : 

for  i  =  0  step  1  to  (Nr+l)*Nb-l 
dw  [  i  ]  =  w  [  i  ] 
end  for 

for  round  =  1  step  1  to  Nr-1 

InvMixColumns (dw [round*Nb,  (round+1) *Nb-l] )  //  note  change  of 

type 

end  for 

Note  that,  since  InvMixColumns  operates  on  a  two-dimensional  array  of  bytes 
while  the  Round  Keys  are  held  in  an  array  of  words,  the  call  to 
InvMixColumns  in  this  code  sequence  involves  a  change  of  type  (i.e.  the 
input  to  InvMixColumns ( )  is  normally  the  State  array,  which  is  considered 
to  be  a  two-dimensional  array  of  bytes,  whereas  the  input  here  is  a  Round 
Key  computed  as  a  one-dimensional  array  of  words) . 

Figure  15.  Pseudo  Code  for  the  Equivalent  Inverse  Cipher. 


6.  Implementation  Issues 

6.1  Key  Length  Requirements 

An  implementation  of  the  AES  algorithm  shall  support  at  least  one  of  the  three  key  lengths 
specified  in  Sec.  5:  128,  192,  or  256  bits  (i.e.,  Nk  =  4,  6,  or  8,  respectively).  Implementations 
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may  optionally  support  two  or  three  key  lengths,  which  may  promote  the  interoperability  of 
algorithm  implementations. 

6.2  Keying  Restrictions 

No  weak  or  semi-weak  keys  have  been  identified  for  the  AES  algorithm,  and  there  is  no 
restriction  on  key  selection. 

6.3  Parameterization  of  Key  Length,  Block  Size,  and  Round  Number 

This  standard  explicitly  defines  the  allowed  values  for  the  key  length  (Nk),  block  size  (Nb),  and 
number  of  rounds  (Nr)  -  see  Fig.  4.  However,  future  reaffirmations  of  this  standard  could 
include  changes  or  additions  to  the  allowed  values  for  those  parameters.  Therefore, 
implementers  may  choose  to  design  their  AES  implementations  with  future  flexibility  in  mind. 

6.4  Implementation  Suggestions  Regarding  Various  Platforms 

Implementation  variations  are  possible  that  may,  in  many  cases,  offer  performance  or  other 
advantages.  Given  the  same  input  key  and  data  (plaintext  or  ciphertext),  any  implementation  that 
produces  the  same  output  (ciphertext  or  plaintext)  as  the  algorithm  specified  in  this  standard  is  an 
acceptable  implementation  of  the  AES. 

Reference  [3]  and  other  papers  located  at  Ref.  [1]  include  suggestions  on  how  to  efficiently 
implement  the  AES  algorithm  on  a  variety  of  platforms. 
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Appendix  A  -  Key  Expansion  Examples 

This  appendix  shows  the  development  of  the  key  schedule  for  various  key  sizes.  Note  that  multi¬ 
byte  values  are  presented  using  the  notation  described  in  Sec.  3.  The  intermediate  values 
produced  during  the  development  of  the  key  schedule  (see  Sec.  5.2)  are  given  in  the  following 
table  (all  values  are  in  hexadecimal  format,  with  the  exception  of  the  index  column  (i)). 

A.1  Expansion  of  a  128-bit  Cipher  Key 

This  section  contains  the  key  expansion  of  the  following  cipher  key: 

Cipher  Key  =  2b  7e  15  16  28  ae  d2  a6  ab  f7  15  88  09  cf  4f  3c 

for  Nk  =  4,  which  results  in 

W0  =  2b7el516  W\  =  28aed2a6  W2  =  abf71588  W3  =  09cf4f3c 


i 

(dec) 

temp 

After 

RotWord ( ) 

After 

SubWord  () 

Rcon [i/Nk] 

After  XOR 

with  Rcon 

w [i-Nk] 

w[i]  = 
temp  XOR 
w[i-Nk] 

4 

09cf 4f 3c 

cf 4f 3c09 

8a84eb01 

01000000 

8b84eb01 

2b7el516 

aOf afel7 

5 

aOf af el7 

28aed2a6 

88542cbl 

6 

88542cbl 

abf 71588 

23a33939 

7 

23a33939 

09cf 4f 3c 

2a6c7  605 

8 

2a6c7605 

6c76052a 

50386be5 

02000000 

52386be5 

aOf af el7 

f2c295f2 

9 

f2c295f2 

88542cbl 

7a96b943 

10 

7a96b943 

23a33939 

5935807a 

11 

5935807a 

2a6c7605 

7359f 67f 

12 

7359f 67f 

59f 67f 73 

cb42d28f 

04000000 

cf 42d28f 

f2c295f2 

3d80477d 

13 

3d80477d 

7a96b943 

4716fe3e 

14 

4716fe3e 

5935807a 

Ie237e44 

15 

Ie237e44 

7359f 67f 

6d7a883b 

16 

6d7a883b 

7a883b6d 

dac4e23c 

08000000 

d2c4e23c 

3d80477d 

ef 44a541 

17 

ef 44a541 

4716fe3e 

a8525b7f 

18 

a8525b7f 

Ie237e44 

b671253b 

19 

b671253b 

6d7a883b 

dbObadOO 

20 

dbObadOO 

ObadOOdb 

2b9563b9 

10000000 

3b9563b9 

ef 44a541 

d4dlc6f 8 

21 

d4dlc6f 8 

a8525b7f 

7c839d87 

22 

7c839d87 

b671253b 

caf2b8bc 

23 

caf2b8bc 

dbObadOO 

Ilf 915bc 

27 


24 

Ilf 915bc 

f 915bcll 

99596582 

20000000 

b9596582 

d4dlc6f 8 

6d88a37a 

25 

6d88a37a 

7c839d87 

110b3efd 

26 

110b3ef d 

caf2b8bc 

dbf 98641 

27 

dbf 98641 

Ilf 915bc 

ca0093fd 

28 

ca0093fd 

0093fdca 

63dc5474 

40000000 

23dc5474 

6d88a37a 

4e54f 70e 

29 

4e54f 70e 

110b3ef d 

5f 5f c9f 3 

30 

5f 5f c9f 3 

dbf 98641 

84a64fb2 

31 

84a64fb2 

ca0093fd 

4ea6dc4f 

32 

4ea6dc4f 

a6dc4f 4e 

2486842f 

80000000 

a486842f 

4e54f 70e 

ead27321 

33 

ead27321 

5f 5f c9f 3 

b58dbad2 

34 

b58dbad2 

84a64fb2 

312bf 560 

35 

312bf 560 

4ea6dc4f 

7f 8d292f 

36 

7f 8d292f 

8d292f 7f 

5da515d2 

lbOOOOOO 

46a515d2 

ead27321 

ac7766f 3 

37 

ac7766f 3 

b58dbad2 

19f adc21 

38 

19fadc21 

312bf 560 

28dl2941 

39 

28dl2941 

7f 8d292f 

575c006e 

40 

575c006e 

5c006e57 

4a639f 5b 

36000000 

7c639f 5b 

ac7766f 3 

d014f 9a8 

41 

d014f 9a8 

19fadc21 

c9ee2589 

42 

c9ee2589 

28dl2941 

el3f 0cc8 

43 

el3f 0cc8 

575c006e 

b6630ca6 

A.2  Expansion  of  a  192-bit  Cipher  Key 

This  section  contains  the  key  expansion  of  the  following  cipher  key: 

Cipher  Key  =  8e  73  bO  f7  da  Oe  64  52  c8  10  f3  2b 

80  90  79  e5  62  f8  ea  d2  52  2c  6b  7b 

for  Nk  =  6,  which  results  in 

W0=8e73b0f7  W\  =  da0e6452  W2  =  c810f32b  W3  =  809079e5 

W4  =  62f8ead2  W5 :  522c6b7b 


i 

(dec) 

temp 

After 

RotWord ( ) 

After 

SubWord  () 

Rcon [i/Nk] 

After  XOR 

with  Rcon 

w [i-Nk] 

w[i]  = 
temp  XOR 
w[i-Nk] 

6 

522c6b7b 

2c6b7b52 

717f 2100 

01000000 

707f2100 

8e73b0f 7 

fe0c91f 7 

7 

f e0c91f 7 

da0e6452 

2402f 5a5 

8 

2402f 5a5 

c810f 32b 

ecl2068e 

28 


ecl2068e 
6c827f 6b 
0e7a95b9 
5c56fec2 
4db7b4bd 
69b54118 
85a74796 
e92538fd 
e75fad44 
bbO  9538  6 
485af 057 
21efbl4f 
a448f 6d9 
4d6dce24 
aa326360 
113b30e6 
a25e7ed5 
83blcf 9a 
27f 93943 
6a94f 7  67 
c0a69407 
dl 9da4el 
ecl786eb 
6fa64971 
485f7032 
22cb8755 
e26dl352 
33f0b7b3 
40beeb28 
2fl8a259 
6747d26b 
458c553e 
a7el466c 
9411f ldf 
821f 750a 


56fec25c  blbb254a  02000000  b3bb254a 


095386bb  01ed44ea  04000000  05ed44ea 


3b30e611  e2048e82  08000000  ea048e82 


9da4eldl  5e49f83e  10000000  4e49f83e 


f 0b7b333  8ca96dc3  20000000  aca96dc3 


Ilf ldf 94  82al9e22  40000000  c2al9e22 


809079e5 

6c827f 6b 

62f 8ead2 

0e7a95b9 

522c6b7b 

5c56fec2 

f e0c91f 7 

4db7b4bd 

2402f 5a5 

69b54118 

ecl2068e 

85a74796 

6c827f 6b 

e92538fd 

0e7a95b9 

e75fad44 

5c56f ec2 

bb095386 

4db7b4bd 

485af 057 

69b54118 

21efbl4f 

85a74796 

a448f 6d9 

e92538f d 

4d6dce24 

e75f ad44 

aa326360 

bb095386 

113b30e6 

485af 057 

a25e7ed5 

21efbl4f 

83blcf 9a 

a448f 6d9 

27f 93943 

4d6dce24 

6a94f 7  67 

aa326360 

c0a69407 

113b30e6 

dl9da4el 

a25e7ed5 

ecl786eb 

83blcf 9a 

6fa64971 

27f 93943 

485f 7032 

6a94f 7  67 

22cb8755 

c0a69407 

e26dl352 

dl9da4el 

33f0b7b3 

ecl786eb 

40beeb28 

6fa64971 

2fl8a259 

485f 7032 

6747d26b 

22cb8755 

458c553e 

e26dl352 

a7el466c 

33f0b7b3 

9411f ldf 

40beeb28 

821f 750a 

2fl8a259 

ad07d753 

44 

ad07d753 

6747d26b 

ca400538 

45 

ca400538 

458c553e 

8fcc5006 

46 

8fcc5006 

a7el466c 

282dl66a 

47 

282dl66a 

9411f ldf 

bc3ce7b5 

48 

bc3ce7b5 

3ce7b5bc 

eb94d565 

80000000 

6b94d565 

821f 750a 

e98ba06f 

49 

e98ba06f 

ad07d753 

448c773c 

50 

448c773c 

ca400538 

8ecc7204 

51 

8ecc7204 

8fcc5006 

01002202 

A.3  Expansion  of  a  256-bit  Cipher  Key 

This  section  contains  the  key  expansion  of  the  following  cipher  key: 

Cipher  Key  =  60  3d  eb  10  15  ca  71  be  2b  73  ae  fO  85  7d  77  81 

If  35  2c  07  3b  61  08  d7  2d  98  10  a3  09  14  df  f4 

for  Nk  =  8,  which  results  in 

Wo  =  603debl0  W\  =  15ca71be  W2  =  2b73aef0  W3  =  857d7781 

W4  =  lf352c07  W5  =  3b6108d7  W6  =  2d9810a3  W7  =  0914dff4 


i 

(dec) 

temp 

After 

RotWord ( ) 

After 

SubWord  () 

Rcon [i/Nk] 

After  XOR 

with  Rcon 

w [i-Nk] 

w[i]  = 
temp  XOR 
w[i-Nk] 

8 

0914df f 4 

14df f 409 

f a9ebf 01 

01000000 

fb9ebf 01 

603debl0 

9ba35411 

9 

9ba35411 

15ca71be 

8e6925af 

10 

8e6925af 

2b73aef 0 

a51a8b5f 

11 

a51a8b5f 

857d7781 

2067fcde 

12 

2067fcde 

b785b01d 

If 352c07 

a8b09cla 

13 

a8b09cla 

3b6108d7 

93dl94cd 

14 

93dl94cd 

2d9810a3 

be49846e 

15 

be49846e 

0914df f 4 

b75d5b9a 

16 

b75d5b9a 

5d5b9ab7 

4c39b8a9 

02000000 

4e39b8a9 

9ba35411 

d59aecb8 

17 

d59aecb8 

8e6925af 

5bf 3c917 

18 

5bf 3c917 

a51a8b5f 

fee94248 

19 

fee94248 

2067fcde 

de8ebe96 

20 

de8ebe96 

Idl9ae90 

a8b09cla 

b5a9328a 

21 

b5a9328a 

93dl94cd 

2678a647 

22 

2678a647 

be49846e 

98312229 

30 


98312229 
2f 6c79b3 
812c81ad 
dadf 48ba 
24360a£2 
f ab8b4  64 
98c5bfc9 
bebdl 98e 
2  68c3ba7 
09e04214 
68007bac 
b2df 3316 
96e939e4 
6c518d80 
c814e204 
7  6a9fb8a 
5025c02d 
59c58239 
del36967 
6ccc5a71 
f a256395 
9674eel5 
5886ca5d 
2e2f 31d7 
7e0af If a 
27cf 73c3 
749c47ab 
18501dda 
e2757e4f 
7401905a 
cafaaae3 
e4d59b34 
9adf 6ace 
bdl0190d 
fe4890dl 


6c79b32f  50b66dl5  04000000 


2d6c8d43 


e0421409  el2cfa01  08000000 


50dl5dcd 


C5823959  a61312cb  10000000 


90922859 


cf73c327  8a8f 2ecc  20000000 


927c60be 


10190dbd  cad4d77a  40000000 


b75d5b9a 

2f 6c79b3 

d59aecb8 

812c81ad 

5bf 3c917 

dadf 48ba 

fee94248 

24360af 2 

de8ebe96 

fab8b464 

b5a9328a 

98c5bfc9 

2678a647 

bebdl 98e 

98312229 

268c3ba7 

2f 6c79b3 

09e04214 

812c81ad 

68007bac 

dadf 48ba 

b2df 3316 

24360af 2 

96e939e4 

fab8b464 

6c518d80 

98c5bfc9 

c814e204 

bebdl 9 8e 

7  6a9fb8a 

268c3ba7 

5025c02d 

09e04214 

59c58239 

68007bac 

del36967 

b2df 3316 

6ccc5a71 

96e939e4 

f a256395 

6c518d80 

9674eel5 

c814e204 

5886ca5d 

7  6a9fb8a 

2e2f 31d7 

5025c02d 

7e0af If a 

59c58239 

27cf 73c3 

del36967 

749c47ab 

6ccc5a71 

18501dda 

f a256395 

e2757e4f 

9674eel5 

7401905a 

5886ca5d 

cafaaae3 

2e2f 31d7 

e4d5 9b34 

7e0af If a 

9adf 6ace 

27cf 73c3 

bdl0190d 

749c47ab 

fe4890dl 

18501dda 

e6188d0b 

Appendix  B  -  Cipher  Example 

The  following  diagram  shows  the  values  in  the  State  array  as  the  Cipher  progresses  for  a  block 
length  and  a  Cipher  Key  length  of  16  bytes  each  (i.e.,  Nb  =  4  and  Nk  =  4). 

Input  =  32  43  f6  a8  88  5a  30  8d  31  31  98  a2  eO  37  07  34 

Cipher  Key  =  2b  7e  15  16  28  ae  d2  a6  ab  f7  15  88  09  cf  4f  3c 


The  Round  Key  values  are  taken  from  the  Key  Expansion  example  in  Appendix  A. 


Round  Start  of 
Number  Round 


After 

SubBytes 


After 

ShiftRows 


After 

MixColumns 


Round  Key 
Value 


input 


32 

88 

31 

eO 

IF 

5a 

31 

FT 

IF 

30 

98 

~oT 

a8 

8d 

a2 

FF 

2b 

28 

ab 

09 

Fe 

ae 

f  7 

cf 

Tk 

d2 

15 

T £ 

if 

a6 

88 

3c 

19 

a0 

9a 

e9 

3d 

f  4 

c6 

Hi 

00 

e3 

e2 

T3 

00 

00 

be 

2b 

2a 

08 

04 

eO 

48 

28 

66 

cb 

f  8 

FF 

81 

19 

d3 

FF 

e5 

9a 

7a 

4c 

a0 

88 

23 

2a 

fa 

54 

a3 

6c 

fe 

2c 

39 

FF 

TT 

bl 

39 

"olf 

d4 

eO 

b8 

le 

27 

bf 

b4 

FT 

T T 

98 

5d 

FF 

ae 

fl 

e5 

FF 

d4 

eO 

b8 

le 

bf 

b4 

41 

TT 

5d 

52 

11 

30 

ae 

fl 

e5 

58 

lb 

db 

lb 

Tcf 

4b 

e7 

6b 

ca 

5a 

ca 

bO 

FT 

ac 

a8 

e5 

f2 

7a 

59 

73 

FF 

96 

35 

TIT 

95 

b9 

80 

FF 

FF 

43 

7a 

Ff 

49 

45 

7f 

77 

db" 

39 

02 

de 

FF 

53 

d2 

IhT 

3b 

89 

fl 

la 

49 

45 

7f 

77 

de 

db 

39 

~02 

d2 

96 

87 

89 

fl 

la 

^3b~ 

a4 

68 

6b 

02 

9c 

9f 

5b 

6a 

FF 

35 

ea 

50 

f  2 

2b 

43 

49 

75 

20 

53 

bb 

ec 

0b 

cO 

25 

09 

63 

cf 

dO 

~93~ 

33 

7c 

dc 

ac 

ef 

13 

45 

cl 
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ac 
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5a 
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61 

82 
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00 
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d2 
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5f 

e3 

4a 
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~oT 
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d2 

9a 
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le 

6d 

80 

16 
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fe 

7e 
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3e 

44 

3b 

48 

67 

4d 

d6 

6c 

Id 

e3 

FF 

4e 

9d 

bl 
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ee 
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FT 

Of 
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6f 
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d6 
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Appendix  C  -  Example  Vectors 

This  appendix  contains  example  vectors,  including  intermediate  values  -  for  all  three  AES  key 
lengths  (Nk  =  4,  6,  and  8),  for  the  Cipher,  Inverse  Cipher,  and  Equivalent  Inverse  Cipher  that  are 
described  in  Sec.  5.1,  5.3,  and  5.3.5,  respectively.  Additional  examples  may  be  found  at  [1]  and 
[5]. 

All  vectors  are  in  hexadecimal  notation,  with  each  pair  of  characters  giving  a  byte  value  in  which 
the  left  character  of  each  pair  provides  the  bit  pattern  for  the  4  bit  group  containing  the  higher 
numbered  bits  using  the  notation  explained  in  Sec.  3.2,  while  the  right  character  provides  the  bit 
pattern  for  the  lower-numbered  bits.  The  array  index  for  all  bytes  (groups  of  two  hexadecimal 
digits)  within  these  test  vectors  starts  at  zero  and  increases  from  left  to  right. 


Legend  for  CIPHER  (ENCRYPT)  (round  number  r  =  0  to  10,  12  or  14) : 


input : 
start : 
s_box : 
s_row : 
m_col : 
k_sch : 
output : 


cipher  input 

state  at  start  of  round [r] 

state  after  SubBytes() 

state  after  ShiftRows() 

state  after  MixColumns ( ) 

key  schedule  value  for  round [r] 

cipher  output 


Legend  for  INVERSE  CIPHER  (DECRYPT)  (round  number  r  =  0  to  10,  12  or  14) 
iinput :  inverse  cipher  input 

istart :  state  at  start  of  round[r] 

is_box:  state  after  InvSubBytes ( ) 

is_row:  state  after  InvShiftRows ( ) 

ik_sch:  key  schedule  value  for  round [r] 

ik_add :  state  after  AddRoundKey ( ) 

ioutput :  inverse  cipher  output 


Legend  for  EQUIVALENT  INVERSE  CIPHER  (DECRYPT)  (round  number  r  =  0  to  10,  12 

or  14)  : 


iinput : 
istart : 
is_box : 
is_row : 
im_col : 
ik_sch : 
ioutput : 


inverse  cipher  input 
state  at  start  of  round [r] 
state  after  InvSubBytes ( ) 
state  after  InvShiftRows ( ) 
state  after  InvMixColumns ( ) 
key  schedule  value  for  round [r] 
inverse  cipher  output 


C.1  AES-1 28  {Nk= 4,  Nr=10) 

PLAINTEXT:  00112233445566778899aabbccddeef f 

KEY:  0001020304050 607080 90a0b0c0d0e0f 

CIPHER  (ENCRYPT) : 
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round [  0] 
round [  0] 
round [  1] 
round [  1] 
round [  1] 
round [  1] 
round [  1] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [10] 
round [10] 
round [10] 
round [10] 
round [10] 


. input 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  k_sch 
.  output 


001122334455667788 99aabbccddeeff 
0001020304050 607080 90a0b0c0d0e0f 
00102030405060708090a0b0c0d0e0f0 
63cab7040953d051cd60e0e7ba70el8c 
6353e08c0960el04cd70b751bacad0e7 
5f 72641557f 5bc92f 7be3b291db9f 91a 
d6aa74f dd2af 72f adaa678f Id6ab7  6f e 
89d810e8855ace682dl843d8cbl28fe4 
a761ca9b97be8b45d8adla611f c97369 
a7bela6997ad739bd8c9ca451f 618b61 
f f 87968431d86a51645151fa773ad009 
b692cf 0b643dbdf Ibe9bc5006830b3f e 
4915598f 55e5d7a0daca94f alf 0a63f 7 
3b59cb73f cd90ee05774222dc067fb68 
3bd922  68f c74fb7357  67cbe0c0590e2d 
4c9cle66f 771f 0762c3f 868e534df 256 
b6f f 744ed2c2c9bf 6c590cbf 0469bf 41 
f a636a2825b339c940668a3157244dl7 
2dfb02343f 6dl2dd09337ec75b36e3f 0 
2d6d7ef 03f 33e334093602dd5bfbl2c7 
6385b79f f c538df 997be478e7547d691 
47f 7f 7bc95353e03f 96c32bcf d058df d 
247240236966b3fa6ed2753288425b6c 
36400926f 9336d2d9fb59d23c42c3950 
36339d50f 9b539269f 2c092dc4406d23 
f 4bcd45432e554d075f Id6c51dd03b3c 
3caaa3e8a99f 9deb50f 3af 57adf 622aa 
c81677bc9b7ac93b25027992b0261996 
e847f 56514dadde23f 77b64f e7f 7d490 
e8dab6901477d4653f f 7f 5e2e747dd4f 
9816ee7400f 87f 556b2c049c8e5ad036 
5e390f 7df 7a69296a7553dcl0aa31f 6b 
c62f el09f 75eedc3cc79395d84f 9cf 5d 
b415f 8016858552e4bb6124c5f 998a4c 
b458124c68b68a014b99f82e5f 15554c 
c57elcl59a9bd286f 05f 4be098c63439 
14f 9701ae35f e28c440adf 4d4ea9c026 
dl876c0f 79c4300ab45594add66f f 41f 
3el75076b61c04678df c2295f 6a8bf cO 
3elc22c0b6fcbf 7 68da85067f 6170495 
baa03de7alf 9b56ed5512cba5f 414d23 
47438735a41c65b9e016baf 4aebf 7ad2 
f de3bad205e5d0d73547964ef If e37f 1 
5411f 4b56bd9700e96a0902f albb9aal 
54d990al6ba09ab596bbf 40ealll702f 
e9f 74eec023020f 61bf 2ccf 2353c21c7 
549932dlf 08557681093ed9cbe2c974e 
bd6e7c3df 2b5779e0b61216e8bl0b689 
7a9f 102789d5f 50b2bef f d9f 3dca4ea7 
7ad5f da789ef 4e272bcal00b3d9f f 59f 
13111d7f e3944al7f 307a78b4d2b30c5 
69c4e0d86a7b0430d8cdb78070b4c55a 


INVERSE  CIPHER  (DECRYPT) : 

round[  0].iinput  69c4e0d86a7b0430d8cdb78070b4c55a 
round [  0].ik_sch  13111d7f e3944al7f 307a78b4d2b30c5 
round!  l].istart  7ad5fda789ef 4e272bcal00b3d9f f 59f 
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round [ 

1] 

round [ 

1] 

round [ 

1] 

round [ 

1] 

round [ 

2] 

round [ 

2] 

round [ 

2] 

round [ 

2] 

round [ 

2] 

round [ 

3] 

round [ 

3] 

round [ 

3] 

round [ 

3] 

round [ 

3] 

round [ 

4] 

round [ 

4] 

round [ 

4] 

round [ 

4] 

round [ 

4] 

round [ 

5] 

round [ 

5] 

round [ 

5] 

round [ 

5] 

round [ 

5] 

round [ 

6] 

round [ 

6] 

round [ 

6] 

round [ 

6] 

round [ 

6] 

round [ 

7] 

round [ 

7] 

round [ 

7] 

round [ 

7] 

round [ 

7] 

round [ 

8] 

round [ 

8] 

round [ 

8] 

round [ 

8] 

round [ 

8] 

round [ 

9] 

round [ 

9] 

round [ 

9] 

round [ 

9] 

round [ 

9] 

round [10] 

round [10] 

round [10] 

round [10] 

round [10] 

.  is_row 
.  is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
. is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
. is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
. is_box 
.  ik_sch 
.  ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ioutput 


7a9f 102789d5f 50b2bef f d9f 3dca4ea7 
bd6e7c3df 2b5779e0b61216e8bl0b689 
549932dlf 08557681093ed9cbe2c974e 
e9f 74eec023020f 61bf 2ccf 2353c21c7 
54d990al6ba09ab596bbf 40ealll702f 
5411f 4b56bd9700e96a0902f albb9aal 
f de3bad205e5d0d73547964ef If e37f 1 
47438735a41c65b9e016baf 4aebf 7ad2 
baa03de7alf 9b56ed5512cba5f 414d23 
3elc22c0b6fcbf 7 68da85067f 6170495 
3el75076b61c04678df c2295f 6a8bf cO 
dl876c0f 79c4300ab45594add66f f 41f 
14f 9701ae35f e28c440adf 4d4ea9c026 
c57elcl59a9bd286f 05f 4be098c63439 
b458124c68b68a014b99f82e5f 15554c 
b415f 8016858552e4bb6124c5f 998a4c 
c62f el09f 75eedc3cc79395d84f 9cf 5d 
5e390f 7df 7a69296a7553dcl0aa31f 6b 
9816ee7400f 87f 556b2c049c8e5ad036 
e8dab6901477d4653f f 7f 5e2e747dd4f 
e847f 56514dadde23f 77b64f e7f 7d490 
c81677bc9b7ac93b25027992b0261996 
3caaa3e8a99f 9deb50f 3af 57adf 622aa 
f 4bcd45432e554d075f Id6c51dd03b3c 
36339d50f 9b539269f 2c092dc4406d23 
36400926f 9336d2d9fb59d23c42c3950 
247240236966b3fa6ed2753288425b6c 
47f 7f 7bc95353e03f 96c32bcf d058df d 
6385b79f f c538df 997be478e7547d691 
2d6d7ef 03f 33e334093602dd5bfbl2c7 
2dfb02343f 6dl2dd09337ec75b36e3f 0 
f a636a2825b339c940668a3157244dl7 
b6f f 744ed2c2c9bf 6c590cbf 0469bf 41 
4c9cle66f 771f 0762c3f 868e534df 256 
3bd922  68f c74fb7357  67cbe0c0590e2d 
3b59cb73f cd90ee05774222dc067fb68 
4915598f 55e5d7a0daca94f alf 0a63f 7 
b692cf 0b643dbdf Ibe9bc5006830b3f e 
f f 87968431d86a51645151fa773ad009 
a7bela6997ad739bd8c9ca451f 618b61 
a761ca9b97be8b45d8adla611f c97369 
89d810e8855ace682dl843d8cbl28fe4 
d6aa74f dd2af 72f adaa678f Id6ab7  6f e 
5f 72641557f 5bc92f 7be3b291db9f 91a 
6353e08c0960el04cd70b751bacad0e7 
63cab7040953d051cd60e0e7ba70el8c 
00102030405060708090a0b0c0d0e0f0 
0001020304050 607080 90a0b0c0d0e0f 
001122334455667788 99aabbccddeeff 


EQUIVALENT  INVERSE 
round [  0].i input 
round [  0].ik_sch 
round [  1]. istart 
round [  l].is_box 
round [  1] . is_row 
round [  1] . im_col 


CIPHER  (DECRYPT) : 
69c4e0d86a7b0430d8cdb78070b4c55a 
13111d7f e3944al7f 307a78b4d2b30c5 
7ad5f da789ef 4e272bcal00b3d9f f 59f 
bdb52189f 261b63d0bl07c9e8b6e776e 
bd6e7c3df 2b5779e0b61216e8bl0b689 
4773b91f f 72f 354361cb018eale6cf 2c 
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round [ 

1] 

round [ 

2] 

round [ 

2] 

round [ 

2] 

round [ 

2] 

round [ 

2] 

round [ 

3] 

round [ 

3] 

round [ 

3] 

round [ 

3] 

round [ 

3] 

round [ 

4] 

round [ 

4] 

round [ 

4] 

round [ 

4] 

round [ 

4] 

round [ 

5] 

round [ 

5] 

round [ 

5] 

round [ 

5] 

round [ 

5] 

round [ 

6] 

round [ 

6] 

round [ 

6] 

round [ 

6] 

round [ 

6] 

round [ 

7] 

round [ 

7] 

round [ 

7] 

round [ 

7] 

round [ 

7] 

round [ 

8] 

round [ 

8] 

round [ 

8] 

round [ 

8] 

round [ 

8] 

round [ 

9] 

round [ 

9] 

round [ 

9] 

round [ 

9] 

round [ 

9] 

round [10] 

round [10] 

round [10] 

round [10] 

round [10] 

.  ik_sch 
. istart 
. is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  ik_sch 
. ioutput 


13aa29be9c8f af f 6f 770f 58000f 7bf 03 
54d990al6ba09ab596bbf 40ealll702f 
f de596f 1054737d235f ebad7f Ie3d04e 
f de3bad205e5d0d73547964ef If e37f 1 
2d7e86a339d9393ee6570all01904el6 
1362a4  638f 258  648  6bf f 5a7  6f7874a83 
3elc22c0b6fcbf 7 68da85067f 6170495 
dlc4941f 7955f 40fb46f 6c0ad68730ad 
dl876c0f 79c4300ab45594add66f f 41f 
39daee38f4fla82aaf 43241 0c36d45b9 
8d82f c749c47222be4dadc3e9c7810f 5 
b458124c68b68a014b99f82e5f 15554c 
c65e395df 779cf 09ccf 9elc3842f ed5d 
c62f el09f 75eedc3cc79395d84f 9cf 5d 
9a39bfld05b20a3a476a0bf79fe51184 
72e3098dllc5de5f 789df el578a2cccb 
e8dab6901477d4653f f 7f 5e2e747dd4f 
c87a79969b0219bc2526773bb016c992 
c81677bc9b7ac93b25027992b0261996 
18f 78d779a93eef 4f 6742967c47f 5f f d 
2ec410276326d7d26958204a003f 32de 
36339d50f 9b539269f 2c092dc4406d23 
2466756c69d25b236e4240fa8872b332 
247240236966b3fa6ed2753288425b6c 
85cf 8bf 472dl24cl0348f 545329c0053 
a8a2f5044de2c7f50a7ef 79869671294 
2d6d7ef 03f 33e334093602dd5bfbl2c7 
f ab38al725664d284024  6ac957  633931 
f a636a2825b339c940668a3157244dl7 
f elf elf 91934c98210fbfb8da340eb21 
c7c6e391e54032f 1479c306d6319e50c 
3bd922  68f c74fb7357  67cbe0c0590e2d 
49e594f 755ca638f da0a59a01f 15d7f a 
4915598f 55e5d7a0daca94f alf 0a63f 7 
076518f0b52ba2fb7al5c8d93be45e00 
a0db02992286dl60a2dc029c2485d561 
a7bela6997ad739bd8c9ca451f 618b61 
895a43e485188fe82dl21068cbd8ced8 
89d810e8855ace682dl843d8cbl28fe4 
ef 053f 7c8b3d32f d4d2a64ad3c93071a 
8c56df f 0825dd3f 9805ad3f c8659d7f d 
6353e08c0960el04cd70b751bacad0e7 
0050a0f04090e03080d02070c01060b0 
001020304050 607080 90a0b0c0d0e0f0 
0001020304050 607080 90a0b0c0d0e0f 
001122334455667788 99aabbccddeeff 


C.2  AES-1 92  (Nk= 6,  Nr=12) 

PLAINTEXT:  00112233445566778899aabbccddeef f 

KEY:  0001020304050 607080 90a0b0c0d0e0f 1011121314151 617 

CIPHER  (ENCRYPT) : 

round [  0] . input  00112233445566778899aabbccddeef f 

round [  0].k_sch  000102030405060708090a0b0c0d0e0f 

round [  1] . start  00102030405060708090a0b0c0d0e0f 0 
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round [  1] 
round [  1] 
round [  1] 
round [  1] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [10] 
round [10] 
round [10] 
round [10] 
round [10] 
round [11] 
round [11] 
round [11] 
round [11] 
round [11] 
round [12] 
round [12] 
round [12] 


.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 


63cab7040953d051cd60e0e7ba70el8c 
6353e08c0960el04cd70b751bacad0e7 
5f 72641557f 5bc92f 7be3b291db9f 91a 
1011121314151 617584 6f 2f 95c43f 4f e 
4f 63760643e0aa85af f 8c9d041f a0de4 
84fb386flaelac977941dd70832dd769 
84eldd691a41d7  6f 7  92d38  9783fbac70 
9f 487f 794f 955f 662af c86abd7f lab29 
544af ef 55847f Of a4856e2e95c43f 4f e 
Cb02818cl7d2af9c62aa64428bb25fd7 
If 770c64f 0b579deaaac432c3d37cf Oe 
lfb5430ef Oaccf 64aa370cde3d77792c 
b7a53ecbbf 9d75a0c40ef c79b674ccll 
40f 949b31cbabd4d48f 043b810b7b342 
f 75c7778a327c8ed8cf ebf cla6c37f 53 
684af 5bc0acce85564bb0878242ed2ed 
68cc08ed0abbd2bc642ef 555244ae878 
7ale98bdacb6dll41a6944dd06eb2d3e 
58el51ab04a2a5557effb54 162450 80c 
22f fc916a8 14744 1649 6fl9c64ae2532 
9316dd47c2fa92834390alde43e43f23 
93f aal23c2903f 4743e4dd83431692de 
aaa755b34cf f e57cef 6f 98elf 01cl3e6 
2ab54bb43a02f 8f 662e3a95d66410c08 
80121e0776fdld8a8d8c31bc965dlfee 
cdc972c53854a47e5d64c7  65904cc028 
cd54c7283864c0c55d4c727e90c9a465 
921f748fd96e937d622d7725ba8ba50c 
f 50 18572 9744 8d7ebdflc6ca87f33e3c 
671ef If d4e2ale03df dcblef 3d789b30 
8572al542fe5727b9e86c8df27bcl404 
85e5c8042f8 61454 9ebcal7b277272df 
e913e7bl8f 507d4b227ef 652758acbcc 
e510976183519b6934157c9ea351f leO 
0c0370d00c01e622166b8accd6db3a2c 
f e7b5170f e7c8e93477f 7e4bf 6b98071 
f e7c7e71f e7f 807047b95193f 67b8e4b 
6cf 5edf 996eb0a0  69c4ef 21cbf c257  62 
Iea0372a995309167c439e77f f 12051e 
7255dad30fb80310e00d6c6b40d0527c 
40fc5766766c7bcaeld7507f 09700010 
406c501076d70066el7057ca09f c7b7f 
7478bcdce8a50b81d4327a9009188262 
dd7e0e887e2f f f 68608f c842f 9dccl54 
a906b254968af 4e9b4bdb2d2f 0c44336 
d36f 3720907ebf Ie8d7a37b58clcla05 
d37e3705907ala208dlc371e8c6fbfb5 
0d73cc2d8f 6abe8b0cf 2dd9bb83d422e 
859f 5f 237a8d5a3dc0c02952beef d63a 
88ec930ef 5e7e4b6cc32f 4c906d29414 
c4cedcabe694694e4b23bfdd6fb522fa 
C494bffae62322ab4bb5dc4e6fce69dd 
71d720933b6d677dc00b8f 28238e0fb7 
de601e7827bcdf 2ca223800f d8aeda32 
afb73eeblcdlb85162280f 27fb20d585 
79a9b2e99c3e6cdlaa3476cc0fb70397 
793e76979c3403e9aab7b2dl0fa96ccc 
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round [12] . k_sch  a4970a331a78dc09c418c271e3a41d5d 
round[12] .output  dda97ca4864cdfe06eaf 70a0ec0d7191 

INVERSE  CIPHER  (DECRYPT) : 

round[  0].iinput  dda97ca4864cdfe06eaf 70a0ec0d7191 

round [  0].ik_sch  a4970a331a78dc09c418c271e3a41d5d 

round [  l].istart  793e76979c3403e9aab7b2dl0fa96ccc 

round[  l].is_row  79a9b2e99c3e6cdlaa3476cc0fb70397 

round [  l].is_box  afb73eeblcdlb85162280f27fb20d585 

round [  l].ik_sch  de601e7827bcdf 2ca223800f d8aeda32 

round [  l].ik_add  71d720933b6d677dc00b8f28238e0fb7 

round[  2].istart  c494bf f ae62322ab4bb5dc4e6f ce69dd 

round!  2].is_row  c4cedcabe694694e4b23bfdd6fb522fa 

round!  2].is_box  88ec930ef 5e7e4b6cc32f 4c906d29414 

round!  2].ik_sch  859f 5f237a8d5a3dc0c02952beefd63a 

round!  2].ik_add  0d73cc2d8f 6abe8b0cf 2dd9bb83d422e 

round!  3].istart  d37e3705907ala208dlc371e8c6fbfb5 

round!  3].is_row  d36f 3720907ebf Ie8d7a37b58clcla05 

round!  3].is_box  a906b254968af 4e9b4bdb2d2f 0c44336 

round!  3].ik_sch  dd7e0e887e2f f f 68608fc842f 9dccl54 

round!  3].ik_add  7478bcdce8a50b81d4327a9009188262 

round!  4].istart  406c501076d70066el7057ca09fc7b7f 

round!  4].is_row  40fc5766766c7bcaeld7507f 09700010 

round!  4].is_box  7255dad30fb80310e00d6c6b40d0527c 

round!  4].ik_sch  Iea0372a995309167c439e77f f 12051e 

round!  4].ik_add  6cf 5edf 996eb0a069c4ef21cbfc25762 

round!  5].istart  fe7c7e71fe7f 807047b95193f 67b8e4b 

round!  5].is_row  f e7b5170f e7c8e93477f 7e4bf 6b98071 

round!  5].is_box  0c0370d00c01e622166b8accd6db3a2c 

round!  5].ik_sch  e510976183519b6934157c9ea351f leO 

round!  5].ik_add  e913e7bl8f 507d4b227ef 652758acbcc 

round!  6].istart  85e5c8042f 8614549ebcal7b277272df 

round!  6].is_row  8572al542fe5727b9e86c8df27bcl404 

round!  6].is_box  671ef If d4e2ale03df dcblef 3d789b30 

round!  6].ik_sch  f 501857297448d7ebdf Ic6ca87f 33e3c 

round!  6].ik_add  921f 748f d96e937d622d7725ba8ba50c 

round!  7].istart  cd54c7283864c0c55d4c727e90c9a465 

round!  7].is_row  cdc972c53854a47e5d64c765904cc028 

round!  7].is_box  80121e0776fdld8a8d8c31bc965dlfee 

round!  7].ik_sch  2ab54bb43a02f 8f 662e3a95d66410c08 

round!  7].ik_add  aaa755b34cf f e57cef 6f 98elf 01cl3e6 

round!  8].istart  93faal23c2903f 4743e4dd83431692de 

round!  8].is_row  9316dd47c2fa92834390alde43e43f23 

round!  8].is_box  22f fc916a81474416496f 19c64ae2532 

round!  8].ik_sch  58el51ab04a2a5557ef fb5416245080c 

round!  8].ik_add  7ale98bdacb6dll41a6944dd06eb2d3e 

round!  9].istart  68cc08ed0abbd2bc642ef 555244ae878 

round!  9].is_row  684af 5bc0acce85564bb0878242ed2ed 

round!  9].is_box  f 75c7778a327c8ed8cf ebf cla6c37f 53 

round!  9].ik_sch  40f 949b31cbabd4d48f 043b810b7b342 

round!  9].ik_add  b7a53ecbbf 9d75a0c40efc79b674ccll 

round [10] . istart  lfb5430ef Oaccf 64aa370cde3d77792c 
round[10] . is_row  If 770c64f 0b579deaaac432c3d37cf Oe 
round [10] . is_box  cb02818cl7d2af 9c62aa64428bb25f d7 
round [10] . ik_sch  544af ef 55847f Of a4856e2e95c43f 4f e 
round [10] . ik_add  9f 487f 794f 955f 662afc86abd7f lab29 
round [11] .istart  84eldd691a41d76f 792d389783fbac70 
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round 

round 

round 

round 

round 

round 

round 

round 

round 


[11] 

[11] 

[11] 

[11] 

[12] 

[12] 

[12] 

[12] 

[12] 


.  is_row 
.  is_box 
.  ik_sch 
.  ik_add 
.  istart 
.  is_row 
.  is_box 
.  ik_sch 
.  ioutput 


84fb386flaelac977941dd70832dd769 
4f 63760643e0aa85af f 8c9d041f a0de4 
1011121314151 617584 6f 2f 95c43f 4f e 
5f 72641557f 5bc92f 7be3b291db9f 91a 
6353e08c0960el04cd70b751bacad0e7 
63cab7040953d051cd60e0e7ba70el8c 
001020304050 607080 90a0b0c0d0e0f0 
0001020304050 607080 90a0b0c0d0e0f 
001122334455667788 99aabbccddeeff 


round [ 
round [ 
round [ 
round [ 
round [  1] 
round [  1] 
round [  1] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 


. i input 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
. is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
. is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
. is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 


EQUIVALENT  INVERSE 
0] 

0] 

1] 

1] 


CIPHER  (DECRYPT) : 

dda97ca4864cdfe06eaf 70a0ec0d7191 
a4970a331a78dc09c418c271e3a41d5d 
793e76979c3403e9aab7b2dl0fa96ccc 
af dlOf 851c28d5eb62203e51fbb7b827 
afb73eeblcdlb85162280f 27fb20d585 
122a02f 7242ac8e20605af ce51cc7264 
d6bebd0dc209ea494db073803e021bb9 
C494bffae62322ab4bb5dc4e6fce69dd 
88e7f 414f 532940eccd293b606ece4c9 
88ec930ef 5e7e4b6cc32f 4c906d29414 
5cc7aecce3c872194ae5ef 8309a933c7 
8fb999c973b26839c7f 9d89d85c68c72 
d37e3705907ala208dlc371e8c6fbfb5 
a98ab23696bd4354b4c4b2e9f 006f 4d2 
a906b254968af 4e9b4bdb2d2f 0c44336 
b7113edl34e85489b20866b51d4b2c3b 
f 77d6ecl423f 54ef 5378317f 14b75744 
406c501076d70066el7057ca09fc7b7f 
72b86c7c0f0d52d3e0d0dal04055036b 
7255dad30fb80310e00d6c6b40d0527c 
ef 3blbelb9b0e64bdcb79f Ie0a707fbb 
1147659047cf 663b9b0ece8df cObf If 0 
f e7c7e71f e7f 807047b95193f 67b8e4b 
0c018a2c0c6b3ad016db7022d603e6cc 
0c0370d00c01e622166b8accd6db3a2c 
592460b248832b2952e0b831923048f 1 
dccla8b667053f 7dcc5cl94ab5423a2e 
85e5c8042f8 61454 9ebcal7b277272df 
672abl304edc9bf ddf 78f 1033dleleef 
671ef If d4e2ale03df dcblef 3d789b30 
0b8a7783417ae3alf 9492dc0c641a7ce 
C6deb0ab791e2364a4055fbe568803ab 
cd54c7283864c0c55d4c727e90c9a465 
80fd31ee768clf078d5dle8a96121dbc 
80121e0776fdld8a8d8c31bc965dlfee 
4eelddf 9301d6352c9ad769ef 8d20515 
ddlb7cdaf 28d5cl58a49abldbbc497cb 
93f aal23c2903f 4743e4dd83431692de 
2214f 132a896251664aec94164f f 749c 
22f fc916a8 14744 1649 6fl9c64ae2532 
1008ffe53b36ee6af27b42549b8a7bb7 
78c4f 708318d3cd69655b701bf c093cf 
68cc08ed0abbd2bc642ef 555244ae878 
f 727bf 53a3f e7f 788cc377eda65cc8cl 
f 75c7778a327c8ed8cf ebf cla6c37f 53 
7f 69acled939ebaac8ece3cbl2el59e3 
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round [  9] 
round [10] 
round [10] 
round [10] 
round [10] 
round [10] 
round [11] 
round [11] 
round [11] 
round [11] 
round [11] 
round [12] 
round [12] 
round [12] 
round [12] 
round [12] 


.  ik_sch 
. istart 
. is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  ik_sch 
. ioutput 


60dcef 102 9952 4ce62dbef 152 f 962 Ocf 
lfb5430ef Oaccf 64aa370cde3d77792c 
cbd264d717aa5f 8c62b2819c8b02af 42 
Cb02818cl7d2af9c62aa64428bb25fd7 
cf af 16b2570cl8b52e7f ef 50cab267ae 
4b4ecbdb4d4dcfda5752d7c74949cbde 
84eldd691a41d76f 792d389783fbac70 
4fe0c9e443f80d06affa76854163aad0 
4f 63760643e0aa85af f 8c9d041f a0de4 
794cf 891177bfdld8a327086f 3831b39 
lalf 181dlelblcl94742c7d74949cbde 
6353e08c0960el04cd70b751bacad0e7 
0050a0f04090e03080d02070c01060b0 
001020304050 607080 90a0b0c0d0e0f0 
0001020304050 607080 90a0b0c0d0e0f 
001122334455667788 99aabbccddeeff 


C.3  AES-256  {Nk= 8,  Nr=14) 

PLAINTEXT:  00112233445566778899aabbccddeef f 

KEY:  0001020304050 607080 90a0b0c0d0e0f 1011121314151 617181 91alblcldlelf 


CIPHER 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 
round [ 


(ENCRYPT)  : 
0 ] . input 
0] . k_sch 
1] . start 
1 ] . s_box 
1 ] . s_row 
1] .m_col 

1]  . k_sch 

2]  . start 
2 ] . s_box 
2 ] . s_row 
2] .m_col 

2]  . k_sch 

3]  . start 
3 ] . s_box 
3] . s_row 
3] .m_col 

3]  . k_sch 

4]  . start 
4 ] . s_box 
4 ] . s_row 
4] .m_col 

4]  . k_sch 

5]  . start 
5 ] . s_box 
5] . s_row 
5] .m_col 

5]  . k_sch 

6]  . start 
6 ] . s_box 
6] . s_row 
6] .m_col 

6]  . k_sch 

7]  . start 
7 ] . s_box 


001122334455667788 99aabbccddeeff 
0001020304050 607080 90a0b0c0d0e0f 
00102030405060708090a0b0c0d0e0f0 
63cab7040953d051cd60e0e7ba70el8c 
6353e08c0960el04cd70b751bacad0e7 
5f 72641557f 5bc92f 7be3b291db9f 91a 
1011121314151 617181 91alblcldlelf 
4f 637 6064 3e0aa85efa72 1320 Ia4e7 05 
84fb386f laelac97df 5cf d237c49946b 
84elfd6bla5c946fdf4938977cfbac23 
bd2a395d2b6ac438dl92443e615dal95 
a573c29f al76c498a97f ce93a572c09c 
1859fbc28alc00a078ed8aadc42f 6109 
adcbOf 257e9c63e0bc557e951cl5ef 01 
ad9c7e017e55ef 25bcl50f e01ccb6395 
810dce0cc9db8172b3678cle88alb5bd 
1651a8cd0244bedala5da4cl0640bade 
975c66clcb9f 3f a8a93a28df 8eel0f 63 
884a33781fdb75c2d380349el9f876fb 
88db34fblf 807678d3f 833c2194a759e 
b2822d81abe6fb275f af 103a078c0033 
ae87df f OOf f Ilb68a68ed5fb03f cl567 
lc05f 271a417e04f f 921c5cl04701554 
9c6b89a349f Oel 849 9fda678f 2515920 
9cf0a62049fd59a399518984f26bel78 
aeb65ba974e0f 822d73f 567bdb64c877 
6delf 1486f a54f 9275f 8eb5373b8518d 
C357aaellb45b7b0a2c7bd28a8dc99f a 
2e5bacf 8af 6ea9e73ac67a34c286ee2d 
2e6e7a2dafc6eef 83a86ace7c25ba934 
b951c33c02e9bd29ae25cdblef a08cc7 
c656827f c9a799176f 294cec6cd5598b 
7f074143cb4e243ecl0c815d8375d54c 
d2c5831alf 2f 36b278f e0c4cec9d0329 
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round [  7] 
round [  7] 
round [  7] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [10] 
round [10] 
round [10] 
round [10] 
round [10] 
round [11] 
round [11] 
round [11] 
round [11] 
round [11] 
round [12] 
round [12] 
round [12] 
round [12] 
round [12] 
round [13] 
round [13] 
round [13] 
round [13] 
round [13] 
round [14] 
round [14] 
round [14] 
round [14] 
round [14] 


.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  m_col 
.  k_sch 
. start 
.  s_box 
.  s_row 
.  k_sch 
.  output 


d22f 0c291f f e031a789d83b2ecc5364c 
ebbl9elc3ee7c9e87d7535e9ed6b9144 
3de23a75524775e727bf 9eb45407cf 39 
d653a4696ca0bc0f 5acaab5db96c5e7d 
f 6ed4  9f 950e0  657  6be74  624c565058f f 
f 6e0  62f f 507458f 9be504  97  656ed654c 
5174c8669da98435a8b3e62ca974a5ea 
0bdc905f c27b0948ad5245a4cl871c2f 
5aa858395fd28d7d05ela38868f3b9c5 
bec26al2cfb55df f 6bf 80ac4450d56a6 
beb50aa6cf f 856126b0d6af f 45c25dc4 
Of 77ee31d2ccadc05430a83f 4ef 96ac3 
45f 5a66017b2d387300d4d33640a820a 
4a824851c57e7e47643de50c2af 3e8c9 
d61352dla6f 3f 3a04327d9f ee50d9bdd 
d6f 3d9dda6279bdl430d52a0e513f 3f e 
bd86f 0ea748f c4f 4630f llcle9331233 
7ccff71cbeb4fe5413e6bbf0d261a7df 
cl4907f 6ca3b3aa070e9aa313b52b5ec 
783bc54274e280e0511eacc7e200d5ce 
78e2acce741ed5425100c5e0e23b80c7 
af 8690415d6eldd387e5fbedd5c89013 
f Olaf af ee7a82979d7a5644ab3af e640 
5f9c6abfbac634aa50409fa766677653 
cf de0208f 4b418ac5309db5c338538ed 
cfb4dbedf 4093808538502ac33del85c 
7427fae4d8a695269ce83d315be0392b 
2541f e719bf 500258813bbd55a721c0a 
51 6 604 954353 950314fb86e4 01 922521 
dl33f 22alaed2a7bf aOf 44697c4f 3f f d 
dled44f dlaOf 3f 2af a4f f 27b7c332a69 
2c21a820306f 154ab712c75eee0da04f 
4e5a6699a9f 24f e07e572baacdf 8cdea 
627bceb9999d5aaac945ecf 423f 56da5 
aa218b56ee5ebeacdd6ecebf26e63c06 
aa5ece06ee6e3c56dde68bac2621bebf 
24f c79ccbf 0979e9371ac23c6d68de36 
8ea2b7ca516745bfeafc49904b496089 


INVERSE  CIPHER  (DECRYPT) : 

round[  0].iinput  8ea2b7ca516745bfeafc49904b496089 
round [  0].ik_sch  24fc79ccbf 0979e9371ac23c6d68de36 
round[  l].istart  aa5ece06ee6e3c56dde68bac2621bebf 
round[  l].is_row  aa218b56ee5ebeacdd6ecebf26e63c06 
round!  l].is_box  627bceb9999d5aaac945ecf 423f 56da5 
round[  l].ik_sch  4e5a6699a9f 24f e07e572baacdf 8cdea 
round [  l].ik_add  2c21a820306f 154ab712c75eee0da04f 
round [  2].istart  dled44f dlaOf 3f 2af a4f f 27b7c332a69 
round [  2].is_row  dl33f 22alaed2a7bf aOf 44697c4f 3f fd 
round [  2].is_box  516604954353950314fb86e401922521 
round [  2].ik_sch  2541fe719bf 500258813bbd55a721c0a 
round [  2].ik_add  7427fae4d8a695269ce83d315be0392b 
round [  3].istart  cfb4dbedf 4093808538502ac33del85c 
round!  3].is_row  cfde0208f 4b418ac5309db5c338538ed 
round!  3].is_box  5f 9c6abfbac634aa50409fa766677653 
round [  3].ik_sch  f 01afafee7a82979d7a5644ab3afe640 
round [  3].ik_add  af 8690415d6eldd387e5fbedd5c89013 
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round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [10] 
round [10] 
round [10] 
round [10] 
round [10] 
round [11] 
round [11] 
round [11] 
round [11] 
round [11] 
round [12] 
round [12] 
round [12] 
round [12] 
round [12] 
round [13] 
round [13] 
round [13] 
round [13] 
round [13] 
round [14] 
round [14] 
round [14] 
round [14] 
round [14] 


. istart 
.  is_row 
. is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ik_add 
. istart 
.  is_row 
.  is_box 
.  ik_sch 
. ioutput 


78e2acce741ed5425100c5e0e23b80c7 
783bc54274e280e0511eacc7e200d5ce 
cl4907f 6ca3b3aa070e9aa313b52b5ec 
7ccff71cbeb4fe5413e6bbf0d261a7df 
bd86f 0ea748f c4f 4630f llcle9331233 
d6f 3d9dda6279bdl430d52a0e513f 3f e 
d61352dla6f 3f 3a04327d9f ee50d9bdd 
4a824851c57e7e47643de50c2af 3e8c9 
45f 5a66017b2d387300d4d33640a820a 
Of 77ee31d2ccadc05430a83f 4ef 96ac3 
beb50aa6cf f 856126b0d6af f 45c25dc4 
bec26al2cfb55df f 6bf 80ac4450d56a6 
5aa858395fd28d7d05ela38868f3b9c5 
0bdc905f c27b0948ad5245a4cl871c2f 
5174c8669da98435a8b3e62ca974a5ea 
f 6e0  62f f 507458f 9be504  97  656ed654c 
f 6ed4  9f 950e0  657  6be74  624c565058f f 
d653a4696ca0bc0f 5acaab5db96c5e7d 
3de23a75524775e727bf 9eb45407cf 39 
ebbl9elc3ee7c9e87d7535e9ed6b9144 
d22f 0c291f f e031a789d83b2ecc5364c 
d2c5831alf 2f 36b278f e0c4cec9d0329 
7f074143cb4e243ecl0c815d8375d54c 
c656827f c9a799176f 294cec6cd5598b 
b951c33c02e9bd29ae25cdblef a08cc7 
2e6e7a2dafc6eef 83a86ace7c25ba934 
2e5bacf 8af 6ea9e73ac67a34c286ee2d 
C357aaellb45b7b0a2c7bd28a8dc99f a 
6delf 1486f a54f 9275f 8eb5373b8518d 
aeb65ba974e0f 822d73f 567bdb64c877 
9cf0a62049fd59a399518984f26bel78 
9c6b89a349f Oel 849 9fda678f 2515920 
lc05f 271a417e04f f 921c5cl04701554 
ae87df f OOf f Ilb68a68ed5fb03f cl567 
b2822d81abe6fb275f af 103a078c0033 
88db34fblf 807678d3f 833c2194a759e 
884a33781fdb75c2d380349el9f876fb 
975c66clcb9f 3f a8a93a28df 8eel0f 63 
1651a8cd0244bedala5da4cl0640bade 
810dce0cc9db8172b3678cle88alb5bd 
ad9c7e017e55ef 25bcl50f e01ccb6395 
adcbOf 257e9c63e0bc557e951cl5ef 01 
1859fbc28alc00a078ed8aadc42f 6109 
a573c29f al76c498a97f ce93a572c09c 
bd2a395d2b6ac438dl92443e615dal95 
84elfd6bla5c946fdf4938977cfbac23 
84fb386f laelac97df 5cf d237c49946b 
4f 637 6064 3e0aa85efa72 1320 Ia4e7 05 
1011121314151 617181 91alblcldlelf 
5f 72641557f 5bc92f 7be3b291db9f 91a 
6353e08c0960el04cd70b751bacad0e7 
63cab7040953d051cd60e0e7ba70el8c 
001020304050 607080 90a0b0c0d0e0f0 
0001020304050 607080 90a0b0c0d0e0f 
001122334455667788 99aabbccddeeff 


EQUIVALENT  INVERSE  CIPHER  (DECRYPT) : 
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round [  0] 
round [  0] 
round [  1] 
round [  1] 
round [  1] 
round [  1] 
round [  1] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  2] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  3] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  4] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  5] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  6] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  7] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  8] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [  9] 
round [10] 
round [10] 
round [10] 
round [10] 
round [10] 
round [11] 
round [11] 
round [11] 
round [11] 
round [11] 


. i input 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 
. istart 
.  is_box 
.  is_row 
.  im_col 
.  ik_sch 


8ea2b7ca516745bfeafc49904b496089 
24f c79ccbf 0979e9371ac23c6d68de36 
aa5ece06ee6e3c56dde68bac2621bebf 
629deca599456db9c9f 5ceaa237b5af 4 
627bceb9999d5aaac945ecf 423f 56da5 
e51c9502a5cl 95050 6a61 0245 9 6b2b07 
34f ldlf fbf ceaa2f f ce9e25f 2558016e 
dled44f dlaOf 3f 2af a4f f 27b7c332a69 
51538 62143fb259514 92040301 6695e4 
51 6 604 954353 950314fb86e4 01 922521 
91a29306cc450d0226f 4b5eaef 5ef ed8 
5el648eb384c350a7571b746dc80e684 
cfb4dbedf 4093808538502ac33del85c 
5f c69f 53ba407  6bf 50  67  6aaa669c34a7 
5f9c6abfbac634aa50409fa766677653 
b041a94ef f 21ae9212278d903b8a63f 6 
c8a305808b3f 7bd043274870d9ble331 
78e2acce741ed5425100c5e0e23b80c7 
cl3baaeccae9b5f 6705207a03b493a31 
cl4907f 6ca3b3aa070e9aa313b52b5ec 
638357cec07de6300e30d0ec4ce2a23c 
b5708el3665a7del4d3d824ca9f 151c2 
d6f 3d9dda6279bdl430d52a0e513f 3f e 
4a7ee5c9c53de85164f 348472a827e0c 
4a824851c57e7e47643de50c2af 3e8c9 
ca6f 71058c642842a315595f df 54f 685 
74da7ba3439c7e50c81833a09a96ab41 
beb50aa6cf f 856126b0d6af f 45c25dc4 
5ad2a3c55f elb93905f 3587d68a88d88 
5aa858395fd28d7d05ela38868f3b9c5 
ca46f 5ea835eab0b 9537b 6dbb221b6c2 
3ca69715d32af3f22b67ffade4ccd38e 
f 6e0  62f f 507458f 9be504  97  656ed654c 
d6a0ab7d6cca5e695a6ca40fb953bc5d 
d653a4696ca0bc0f 5acaab5db96c5e7d 
2a70c8da28b806e9f 319ce42be4baead 
f85fc4f 3374 605f38b844df 052 8e98el 
d22f 0c291f f e031a789d83b2ecc5364c 
7f 4e814ccb0cd543cl75413e8307245d 
7f074143cb4e243ecl0c815d8375d54c 
f0073ab7404a8alfc2cba0b80df 08517 
de69409aef 8c64e7f 84d0c5f cf ab2c23 
2e6e7a2dafc6eef 83a86ace7c25ba934 
C345bdfalbc799ela2dcaab0a857b728 
C357aaellb45b7b0a2c7bd28a8dc99f a 
3225fe3686e498a32593cl872b613469 
aed55816cf 19cl00bcc24803d90ad511 
9cf0a62049fd59a399518984f26bel78 
Icl7c554a4211571f970f24f0405e0cl 
lc05f 271a417e04f f 921c5cl04701554 
9dld5c462e655205c4395b7a2eac55e2 
15c668bd31e5247dl7cl68b837e6207c 
88db34fblf 807678d3f 833c2194a759e 
979f 2863cb3a0f cla9el66a88e5c3f df 
975c66clcb9f 3f a8a93a28df 8eel0f 63 
d24bfb0elf 997  633cf ce8  6e37  903f e87 
7fd7850f61cc991673db890365c89dl2 


45 


round [12] 
round [12] 
round [12] 
round [12] 
round [12] 
round [13] 
round [13] 
round [13] 
round [13] 
round [13] 
round [14] 
round [14] 
round [14] 
round [14] 
round [14] 


.  istart  ad9c7e017e55ef 25bcl50f e01ccb6395 
.  is_box  181c8a0  98aed61c2782f fba0c45900ad 
.  is_row  1859fbc28alc00a078ed8aadc42f 6109 
.  im_col  aec9bda23e7f d8af f 96d74525cdce4e7 
.  ik_sch  2a2840c924234cc02  6244cc5202748c4 
.  istart  84elfd6bla5c946fdf4938977cfbac23 
.  is_box  4f e0210543a7e70  6ef a47 68501 63aa32 
.  is_row  4f 637 60  64 3e0aa85efa72 1320 Ia4e7 05 
.  im_col  7  94cf 8  91177bf dlddf 67a744acd9c4f 6 
.  ik_sch  lalf 181dlelblcl91217101516131411 
.  istart  6353e08c0  960el04cd70b751bacad0e7 
.  is_box  0050a0f04090e03080d02070c01060b0 
.  is_row  00102030405060708090a0b0c0d0e0f 0 
.  ik_sch  000102030405060708090a0b0c0d0e0f 
.  ioutput  001122334455667788 99aabbccddeeff 


46 


Appendix  D  -  References 


[1  ]  AES  page  available  via  http://www.nist.gov/CryptoToolkit.4 

[2]  Computer  Security  Objects  Register  (CSOR):  http://csrc.nist.gov/csor/. 

[3]  J.  Daemen  and  V.  Rijmen,  AES  Proposal:  Rijndael,  AES  Algorithm  Submission, 
September  3,  1999,  available  at  [1], 

[4]  J.  Daemen  and  V.  Rijmen,  The  block  cipher  Rijndael,  Smart  Card  research  and 
Applications,  LNCS  1820,  Springer- Verlag,  pp.  288-296. 

[5]  B.  Gladman’s  AES  related  home  page 
http://fp.gladman.plus.com/cryptography  technology/. 

[6]  A.  Lee,  NIST  Special  Publication  800-21,  Guideline  for  Implementing  Cryptography 
in  the  Federal  Government,  National  Institute  of  Standards  and  Technology, 
November  1999. 

[7]  A.  Menezes,  P.  van  Oorschot,  and  S.  Vanstone,  Handbook  of  Applied  Cryptography, 
CRC  Press,  New  York,  1997,  p.  81-83. 

[8]  J.  Nechvatal,  et.  al.,  Report  on  the  Development  of  the  Advanced  Encryption  Standard 
(AES),  National  Institute  of  Standards  and  Technology,  October  2,  2000,  available  at 
[1]. 


4  A  complete  set  of  documentation  from  the  AES  development  effort  -  including  announcements,  public  comments, 
analysis  papers,  conference  proceedings,  etc.  -  is  available  from  this  site. 


47 


